Throwing an application into production and performing vulnerability assessment is utterly useless. Not placing security controls into your software development life cycle (SDLC) is like rolling out a new car design without performing crash tests.

So what kinds of defenses does the average web application need? Here’s a good way to figure it out. Take a look at the common application security vulnerabilities and then list the security controls that developers need to prevent those holes.

You’ll end up with a list that includes authentication, session management, access control, input validation, canonicalization, output encoding, parameterized interfaces, encryption, hashing, random numbers, logging and error handling.

Many companies, especially smaller ones are reluctant to implement such controls or develop security policies. It’s an easy step to quickly improve the overall security of your organization, no matter how many employees you have.

• Plenty of freely available standards exist and can be adopted to improve the quality of your software security.
• Developing policies can be done internally and is cheap and will immediately improve the inherent security of your SDLC.

• You’ll have documented evidence that security controls are in place throughout the development process to show your partners, clients, and auditors.

The article suggests that the average organization requires about 100 methods across all of the security controls organized in a simple library.

This entry was posted on Monday, June 23rd, 2008 at 10:14 am by Anil Polat and is filed under software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.