• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
 
 Web application security:too costly to ignore
 White paper
Table of contents
 Web application security: too costly to ignore
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
 Web application security: solving a complex challenge
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Toward continuous and secure application development
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Strategy and planning phases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Requirement phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Design phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Build phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Test phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Deployment phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Production. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
 Automate security into the application development life cycle
. . . . . . . . . . . . . . . . . . . . . . . . . . . 6HP DevInspect software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6HP QAInspect software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6HP WebInspect software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7HP Assessment Management Platform software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Benefits of HP Application Security Center 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Conclusion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
 
 Web applicationsecurity: too costlyto ignore
This paper details why application security addressedthroughout the entire software development life cyclewill increase the security of your applications,improve regulatory compliance, while also cuttingdevelopment costs.The bad news keeps rolling in nearly every day. A major retailer’s website is hacked, and thousandsof customer records, including credit card numbers,are stolen; a single flaw on the web page of a federalagency has leaked Social Security numbers onto theInternet. It is clear that attacks targeting web appli-cations are on the rise, as stories like these areall too commonplace.Not only are application attacks growing more prevalent,they are also costly. The research firm Gartner estimatesthat within the next year, 80 percent of all companies willhave suffered through an application security incident.The cost of these incidents ranges from $90 to $305 percompromised record, depending on the nature of thebreach and the company hacked. These costs includesystem cleanup and forensic analysis, regulatory andlegal costs, consumer breach notification, and creditmonitoring services. When considering those expenses,it is no surprise that the total expense of a single breachcan range from several million to well into the billions.These web application flaws also place organizationsat significant risk for non-compliance with governmentand industry regulations such as Federal InformationSecurity Management Act (FISMA), Health InsurancePortability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), andthe more recent Payment Card Industry Data SecurityStandard (PCI DSS).For attackers, web applications are both easy andworthy targets. Common flaws such as SQL injection,cross-site scripting, poor input validation and brokenauthentication conditions make it possible for attackersto easily infiltrate these applications to disrupt appli-cation availability and destroy or steal sensitive andprivate information like credit card data. Also, vulnerableweb applications not only allow these miscreants tosteal and manipulate information within that application,but also to use it as an entry point to the corporatenetwork and back-end applications.Set aside those security and regulatory complianceconcerns for a moment, and consider this: Securityvulnerabilities are like any other software defect. And, like any software defect, it is actually more costeffective to find and fix security software defects duringdevelopment. It is widely accepted by analysts andsoftware development experts that while it may cost acouple hundred dollars to find and fix defects early inthe development cycle, those costs can soar to wellabove $10,000 to fix those defects after the appli-cation has been sent to production.
2
 
Considering that web application security is so crucialto mitigating the risks of attack and attaining regulatorycompliance, the number of web attacks is on the rise,and the fact that it is exponentially more cost effectiveto remedy those flaws early in the development process,one must question why there is such a chasm betweenwhere application security should be and the sad shapeof application security today.The answer: Most organizations approach applicationsecurity backwards. They bolt security on to the veryend of the development process instead of building itin throughout. Typically, security teams will conduct anapplication security assessment just prior to deploymentor worse yet—after the application is deployed, andthey will uncover reams of security flaws—unvalidatedinputs, logic errors and other defects created in thecode during the entire development process. Thosesecurity managers then will be forced to go back to thedevelopers and demand the code be fixed before thesoftware can be released into production. This ex-pensive and inefficient approach forces deploymentdate delays and severely limits the number of securitydefects the development and quality assurance (QA)teams will be able to resolve and re-test. This bodesbadly for the prospect of building secure applications. As you will see, by simply adding security to existingdevelopment checkpoints, such as when currentfunctionality and performance tests are completed,organizations can slash security-related maintenancecosts, while also producing dramatically more secureand regulatory-compliant applications.
 Web application security: solving a complex challenge
There are many reasons why security flaws work theirway into web applications. First, security is rarelyconsidered during the functional requirements phase;that is to say that application owners do not demandsecurity from the onset so developers do not buildsecurity into their applications.Second, even when developers do consider security,they are covering only the basics: authentication,authorization, access control and encryption. Theyoften do not provide comprehensive input validation toprevent SQL-injection and cross-site scripting defects. As a result, developers leave scads of security defectsin their source code. This is not because they do notwant to develop the most secure software possible.Rather, the primary focus of developers is to buildhighly functional and available applications. Theirattention is on performance and ease-of-use. They tendto think about how the normal user will approach thesoftware, not how attackers will try to bend an appli-cation’s capabilities and coding weakness for maliciouspurposes. Even developers who recognize the importanceof web application security usually see it as the responsi-bility of IT security or as part of the QA process. Also, popular development tools, such as Microsoft
®
 Visual Studio, IBM Rational Application Developer andEclipse are very powerful at what they do—provide arobust development environment. However, they are notdesigned to aid in the production of secure software.The result: Many web applications are rich in function-ality but vulnerable to unwanted exploits and intrusions.These vulnerable web applications get deployed—andeventually attacked.
3
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...