Now that security training is in place, and you have consistent, secure Web application development methodologies, along with the assessment and development tools you need, it's a good time to start measuring your progress.
At first, all of these changes in your software development life cycle processes will feel disruptive and time consuming. So, executives and managers, as well as the Web application development team and auditors, are certainly going to want to see results from all the new work that they've put in place. Everyone will want metrics and baselines: Are our applications more secure? Are developers coding better? The only way to answer these questions is to start measuring progress. But, in the beginning, don't fall into the trap of measuring too much.
In the initial days of putting software development life cycle processes in place, we strongly advise that you keep the measurements simple. Do not get overwhelmed with tracking too many types of vulnerabilities. In fact, you probably don't want to try to track and extinguish every class of vulnerability at once. We've seen this mistake made many times: enterprises try to fix vulnerabilities discovered in every part of the software development life cycle in a big bang. Then, at the end of a year, they end up with a dozen completely vulnerable applications, and with no money in place to fix everything that needs to be fixed. They end up scrambling, disheartened, and getting nowhere. That's not the way to do it.
That's why, in the beginning, we've learned that a sensible--and attainable--approach to securing the Web application development process is to decide which are your most prevalent and severe vulnerabilities. If they include SQL Injection or logic errors that could provide unauthorized access to an application, then that's your initial focus. Pick the most critical vulnerabilities that will make significant differences, based on your assessment and the nature of your systems and business. These will be the first vulnerabilities you want to track during their march to extinction (at least from within your applications).
Once your Web application development team gets used to the process of fixing certain classes of vulnerabilities, you can add the next most pressing class (or two) of vulnerabilities to the mix. By slowing adding new classes of vulnerabilities into your formal software development life cycle processes, you will have the opportunity to smooth any problems or kinks in the process. And your Web application development teams will grow increasingly accustomed to the process. There'll be no big shocks, and over the course of months, and years, you'll see dramatic improvement over your first few baselines.
By putting into place the essential controls and technologies outlined in this article, you're now well on the pathway to Web application development that is consistently secure. Your reward will be a software development life cycle process that will flow much more smoothly and cost effectively; you'll have caught problems early in the development process, so your regulatory audits will flow more smoothly. And you'll have greatly reduced the chances of a successful attack against your Web sites.
About Caleb Sima
Caleb Sima is the co-founder of SPI Dynamics, a web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics' R&D security team. Prior to co-founding SPI Dynamics, Caleb was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Caleb is a regular speaker and press resource on web application security testing methods and is a co-author of the book titled, Hacking Exposed Web Applications: Web Security Secrets & Solutions, Second Edition.
About Vincent Liu
Vincent Liu, CISSP, CCNA, is the managing director at Stach & Liu, a professional services firm providing advanced IT security solutions. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Vincent is an experienced speaker and has presented his research at conferences including BlackHat, ToorCon, and Microsoft BlueHat. He has been published in interviews, journals, and books with highlights including: Penetration Tester's Open Source Toolkit; Writing Security Tools and Exploits; Sockets, Shellcode, Porting, and Coding; and the upcoming Hacking Exposed: Wireless.