Java Reference
In-Depth Information
largely depend on the understanding of threats and how these threats would exploit various
application vulnerabilities. During the risk assessment phase, the threat proiling activity is
extremely beneicial, not only for the design and development of the application but also for
the testing personnel in designing and development comprehensive test cases for security.
5.1.2.2 Software Development Life Cycle
he most important requirement for a secure Web application today is for security to be built
into the application from its inception. One of the predominant issues with most Software
Development Life Cycle processes (SDLC) is that inadequate attention is paid to security aspects
of Web application during the core phases of application design and development. Building secu-
rity into an application already developed becomes an expensive and tedious process. he process
of SDLC usually begins with the gathering of requirements, from which the application design
is created. Once the design of the application has been created and inalized, the development
process is underway, which is followed up with testing, deployment, and maintenance of the
application. By mapping the risk management process to the Software Development Life Cycle,
the much-needed aspect of security is incorporated as part of the application development process
right from its inception. In Chapter 6 we will explore the mapping of the risk management process
to the Application Development Life Cycle. Figure 5.2 illustrates how Risk Management maps
with the SDLC process.
5.1.2.3 Compliance
Security compliance, as previously discussed, has become an important consideration for organiza-
tions all over the world today. he role of security standards and compliance requirements like the
Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA),
and the Payment Card Industry Data Security Standard (PCI-DSS) in the modern world is a
mandatory one. Risk management is one of the basic requirements in most security compliance
standards or frameworks. Risk assessment using a structured risk assessment methodology is man-
dated by the HIPAA, for the health care industry. he PCI-DSS, a standard for merchants, credit
card processors, and service providers handling cardholder data, in its Requirement 6.3 indicates
that the Software Development Life Cycle Documentation for an application needs to consider
security requirements like logging, authentication, and authorization among others.
Application Development Lifecycle
Requirements Gathering
Design
Development
Testing
Deployment
Web Application Risk Management
Risk Assessment
Risk Mitigation
Continuous Evaluation
Figure 5.2
Mapping of risk management process with the Application Development Life
Cycle.
Search WWH ::
Custom Search