Java Reference
In-Depth Information
As we can see, threat models are very useful in developing comprehensive security tests to run
against the Web application during a vulnerability assessment and can even be used to look for
nonsecure coding practices as part of a code review activity.
11.2.3 Web Application Security Testing—Critical Success Factors
here are a number of factors that need to be kept in mind to develop and maintain an efective
Web application security testing practice. hey are as follows:
◾
Patch-n-Fix approach vs. secure SDLC
◾
Testing frequency
◾
Documentation for security
◾
Testing mix
11.2.3.1 Patch-n-Fix Approach vs. Secure SDLC
here are two main approaches to Web application security—Patch-n-Fix and secure SDLC.
Patch-n-Fix approach—his approach is where the application is deployed in a production
environment with little or no testing. he application is rife with security vulnerabilities,
which probably are exploited, after which the organization takes cognizance of a certain
set of vulnerabilities and develops a patch for the same, which is then deployed for the Web
application. Some days later another set of vulnerabilities for the Web application may be
unearthed, resulting in the repetition of the same cycle. his is a tactical approach to Web
application security, where the organization is approaching security in a tactical manner,
without too much attention being given to the long-term ramiications of this cycle.
Secure SDLC approach—his approach propounds the consideration of security functional-
ity for the Web application from its incipiency. he SDLC is integrated with a risk man-
agement process that is designed to incorporate security into the application. he coding,
coniguration, and so on are based on the understanding of the risks that surround the criti-
cal information assets stored, processed, and transmitted by the application. his approach
methodically mitigates (or in some cases reduces) the risks to critical information assets of
the Web application by securing the Web application through implementation of optimal
security capability in conjunction with the use of secure coding practices. his method
also provides for a procedure-oriented testing methodology that advocates a balanced set of
activities throughout the SDLC, ensuring that the application vulnerabilities reduced to the
lowest possible extent. his approach is strategic with a long-term vision and commitment
to security.
While one would think that most individuals and organizations would opt for the secure
SDLC approach, most organizations get practically caught up in the Patch-n-Fix approach,
thereby increasing the timeframe of their vulnerability before they deploy an appropriate
ix. A strategic approach is what is required to efectively create and maintain a strong Web
application. his is one of the key success factors to testing the security of Web applications
as well.
Search WWH ::
Custom Search