Computer crime is not going away. It will continue to evolve and advance, alongside our continued use of the Internet. Many – if not most – businesses deploy web-based technologies under the assumption that gateway security measures such as firewalls and intrusion detection and prevention systems are sufficient to protect web applications from attack or misuse. This is a dangerous assumption, says Haydn Pinnell, MD, Gallium (an EOH company).
Effective IT security no longer comes down to purchasing and installing security products. Today, the Internet has become an easy target for attackers. With as many as 85 percent of web sites vulnerable to attack, it is no wonder that the attackers have shifted their focus to web applications as an entry point into corporate networks. This, along with the fact that the web has evolved from being an online, accessible presence to now delivering mission-critical applications, means that web-application security is now a critical component of the overall enterprise security.
Despite this fact, Pinnell says that traditional development and Quality Assurance (QA) cycles for building web applications do not incorporate security into existing processes. This inability to test and rectify vulnerabilities before an application goes into production leaves confidential data within a web application at risk for attack or misuse.
Industry analysts estimate that the failure to identify and repair security vulnerabilities during the software development process can carry extra costs. Removing a defect after software is operational can cost between two and five times as much as correcting the error within the development and QA process. Moreover, by incorporating security testing by QA teams, the following opportunities to reduce the costs of vulnerability remediation exist:
- Defect correction during code and unit tests can reduce the cost impact by a factor of between three and 20 percent.
- If 50 percent of software vulnerabilities were removed prior to production use, enterprise management costs would be reduced by 75 percent.
Add increasing accountability for proof of regulatory compliance due to government and industry mandates, and the need for integrating methodical security assessment into the application quality or delivery process becomes clear.
Pinnell says it is imperative to move away from the old paradigm of empowering a security team to test applications and networks after development or immediately preceding deployment – security must be integrated throughout the software development lifecycle.
“This integration will only occur if developers, QA teams, and management are involved in security. Making such a fundamental shift will not happen overnight, but it is essential if we are to stem the tide of applications riddled with security vulnerabilities which offer multiple attack vectors and leave enterprises wide open to attack.”
