What is Security ?
Different people interpret security in different ways. Below are some common interpretations of security.
For security professionals, it is
- confidentiality, integrity, availability
For managers, it is
- an undesired requirement
- more work
For users, it is
- hindrance to productivity
- unreasonable rules
- boring awareness sessions
- not my job
The key challenge for security professionals is to bring everyone on the same page by making security simple, making security possible and making security visible.
Need for Application Security
An application is considered to be secured if it maintains confidentiality, integrity and availability of its restricted resources like data, functions, object, feature, Intellectual Property etc. Most of the security breaches in recent times including Facebook data breach, Google+, Equifax etc are attributed to security vulnerability at application level. Its a common myth that perimeter security measures like firewall and IDS will protect your application but its not true because these defences are not effective for application level attacks.
According to Gartner’s report
“Nearly 75% of all information security attacks are directed to web application layer. “ and “2/3 of all web applications are vulnerable”.
Practically its not possible to completely secure anything, but the aim of application security is to make the cost associated with a successful attack higher than the asset value which makes the attack not worth. A successful application level attack can have serious consequences like
- financial loss
- affect on business continuity
- closure of business
- damage of reputation
- disclosure of business information
Why applications are vulnerable to attacks ?
According to OWASP, “Software applications are designed and developed with functionality first in mind and security as a distinct second and third”. Some common reasons for existence of vulnerabilities in applications are
- Most of software development curriculum does not address security.
- Security is not considered in various steps of SDLC process. Its often due to lack of awareness and negligence.
- Security does not bring business. Software market is broken with respect to security. Security information is invisible to consumers. Information about secure development, testing, maintenance or patches are not visible to consumers so consumers can’t make decisions based on security and a seller would be foolish to invest in something that consumers don’t consider while making decisions.
Solution : Integrating Security in Software Development Life Cycle
In order to have a successful Application Security program, its very important to incorporate security in different phases of software development. The below image gives an overview of how a secure software development life cycle process looks like.
Advantages of integrating Security in SDLC
Some key advantages of including security in SDLC process include
- reduction of vulnerabilities to a great extent
- reduction in time and effort to address security vulnerabilities
- low maintenance cost
- ability to comply with regulations, standards and other security requirements
- promotes security culture to improve software quality
- better developer satisfaction
- better customer satisfaction
- brand reputation
Who is responsible for Application Security ?
Who is not ? Security is everyone’s business. Managers, Architects, Developers, Testers and Administrators should take responsibility for Application Security. Its very important that everyone from higher management to junior developers understand the importance of application security and take the best measure under their control to maintain a security culture in the firm.
Be safe and develop safe !!