Web Security Life Cycle
Software development life cycles are created to help guide businesses towards meeting specific desires and needs within their applications. They drive the steps used to meet best practices and standards that businesses are required to follow to function.
SDLCs are made up of various different stages such as; assessments, application development, QA testing, deployments, etc. Best practices and standards dictate that implementing security within the various steps of an SDLC if not all of the steps will provide the best results that any business is trying to achieve. An SDLC can come in a few different models like a waterfall model, spiral model and a V-Model.
This document will be used to describe and give a brief summary on many different processes. Application Development: During the development of web applications, things such as poor error handling, and unsecure data transferring can plague the development.
Poor error handling could result in malicious users finding much more information about a application than should be revealed and can use that information to gain access to unauthorized areas, while unsecure data transferring could result in data being stolen as it is broadcasted across a network. QA/Testing: Security professionals that continually test software and web applications for malicious attacks or security flaws ensure that products will continue to work as desired.
Examples of testing that could be used is Integration testing and black-box testing. Integration testing is when individual software modules are combined and tested as a group, while black-box testing is described as a method of software testing that examines the functionality of an application without knowing how it works and how it was coded. Deployments: Monitoring of the deployment happens here, as well as searching for potential security threats and exploitable areas.
Documenting how deployment has gone is also done. Deployment response time could become an issue if it takes too long, as well as error messages popping up due to issues within the application when put into real time. Website encryption & key management:
These two are considered the highest practice in data protection and are also required by regulations issued out by standards such as PCI-DSS, HIPAA, and FISMA. Website encryption can be implemented with SSL (Secure Sockets Layer), while implementing data encryption that produces separate keys for each piece of data will protect more than just a company’s data.
Data Storage & Access: Having control over a companies files and databases would mean that they are in control of security regarding these and that the security was implemented well. Limiting access to all data is a best practice here but should not forget to have data encryption as well as backup and recover steps to take should an issue arise.
Systems & Devices that browse the website: When it comes to different devices and systems that would interact with your website, there are ways to be able to detect what they are using to visit you, and with that type of knowledge, creating different types of webpages of your site to accommodate the differences would help fill varying customers needs. Having different types of sites that mirror the main site to work best on devices like tablets and cellphones is a way to attract more customers than just the ones who use PCs. Security Assessment & Vulnerability Scanning:
The reason that a security assessment was run in the first place is to make sure that a web application was done correctly to the intended designs and needs of the company, making sure that the necessary controls are within the finished product. Vulnerability scanning on the other hand is the use of a program that is designed to test for flaws and risks that were not already known and taken care of.
The said program when finished with its scanning will produce a report of its findings that will help a security professional locate and fix found issues. Third Party Vendors that have access to data: When involved with other businesses within your own; following the policies of both your business and theirs will result in continued business. Informing your users to follow these policies is a must. When it comes to the vendor accessing your data though, it should be limited, as another business should not have access to more than they need.
All connections between the two companies should also be secured. Employee Web Security Training: Conducting training to your users on proper and secure web usage should be required as you do not want to have employees just randomly browsing and clicking on anything that their heart desires. Training can reduce many different threats that can come from untrained employees such as social engineering, ignoring business policies and rules, and downloading files and software that could destroy company systems.
A best practice would be conducting security training annually if not quarterly to meet standards. Requirements & Regulations that are needed for compliance: It is very important to meet the requirements of security standards and guidelines that are given out to be in compliance.
For example, PCI-DSS requires networks to be secure and that credit card data if saved must be encrypted to meet compliance. Keeping this compliance up not only reduces overall costs and increases overall security, but also reduces the risks of penalties being placed against the business.
A best practice would be for the security professionals to be pro-active and be always up to date on new updates and patches that will protect against recent threats like viruses and malware. Emerging Laws and regulations affect the application security landscape: There are new risks and threats that pop up all the time in an ever-changing technology involved world.
Keeping up with these laws and regulations that are put in place to combat the evolving dangers that come with newer technology. By being ready with a dynamic and trained IT environment you can be ready for the many different demands that come your way, but should also be able to have the ability to be flexible and reliable when it comes to the swiftly changing business needs.