Security is almost always an afterthought or is allocated negligible time, budget, and resources to ensure that the web application has been developed securely. Unfortunately, this allows many web applications to go into production with the vulnerabilities that we have explored throughout this chapter.
Before designing or developing any code, the System Development Life Cycle (SDLC) needs to be checked to ensure that security has sufficient resources, secure coding standards are created for the relevant programming languages, and metrics are defined that measure the application's security.
Web application requirements also need to include security requirements, which must then be reviewed to ensure that the requirements aren't ambiguous. This will guarantee that requirements are understood throughout the design stage and by the developers.
Security must be a part of the design stage since it includes how the security architecture of the application will be implemented. If security is not considered in the design stage, then all sections of the application could end up sitting on one server instead of being spread out over multiple servers and security layers. This could be extremely costly to the project in terms of money and time since major changes to the application would need to be carried out.
Once the design has been completed, threat models should be created to determine what risks the web application poses when put into a production environment, as well as to document how these risks are to be mitigated or accepted.
Code reviews should be carried out during the development stage to give the security team an understanding of how the developers are implementing the design and whether secure coding standards are being followed. This will also allow the security team to determine whether their secure coding standards are lacking detail in some areas.
Security processes must also be carried out during the implementation stage. This includes configuration reviews to ensure that all systems within the web architecture are configured securely, as well as application and infrastructure penetration testing to discover what vulnerabilities actually exist after the application has been deployed.
Security is depreciative since new vulnerabilities and attacks are found daily and, therefore, maintenance of the systems and applications is crucial to ensuring that the required level of security is sustained and the risk is acceptable to the business.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.