Application Security
What Is the First Step?
In many organizations, the best first step is to gather some facts about your custom code. This will provide insight into the security of your applications. Once you have some facts, then you can decide whether you need to make improvements to the way your organization builds and tests applications.
How Can We Verify Our Software?
The best way to verify the security of an application is to evaluate the code across a number of critical security areas, including authentication, access control, input validation, error handling, llogging, encryption, etc... To be comprehensive, the analysis should use both security testing and code review to verify each of these areas. This type of verification is the most cost-effective way to find out whether the code has been designed and implemented with security in mind.
What Are the Next Steps?
Most organizations start by verifying applications and finding weaknesses. Each of those weaknesses has a root cause in the project that created the application, such as developers not trained in security, lack of application security activities in the SDLC, or a technology need. By iidentifying these root causes and working to eliminate them, an organization can gain confidence in its entire application inventory.
Addressing Application Security - Reactive To Proactive
What Tools Can Help with Application Security?
Application security tools work best in a supporting role to an integrated application security strategy. The penetrate-and-patch method and its associated signature based tools aren't very effective on custom applications. For example, a vulnerability scanning tool can't find access control problems in a custom-built authorization mechanism because nobody has created the necessary signatures for your custom code.
