Java Reference
In-Depth Information
A secure SDLC usually entails security risk assessments before the inception of the application
and risk assessments for every change to the application. his also includes assessing vulnerabili-
ties and ixing them. his includes practices like code reviews for security and appropriate change
management procedures to see that any changes made to the code can be tracked via a formal
process of change management and that every change is duly authorized by the project manager
or a senior member of the application development team, thereby building accountability into the
application development process.
Although the concept of SDLC sounds simple, it is surprising that very few organizations get
it right. Several organizations fail to follow basic change management procedures, which results in
unforeseen and unnecessary changes to the code.
3.4.4 Awareness
Web application developers essentially focus on the functionality part of the Web application.
hese developers are usually not aware of Web application security concepts and practices such as
input validation to prevent against cross-site scripting attacks and SQL injection attacks. Many of
these developers are also not aware of secure coding practices such as parameterizing SQL queries,
encryption key management for applications, and logging security-related information from the
application, which forms a critical aspect for Web application security. Also, organizations do not
spend the time and resources training developers to incorporate secure coding practices while
developing applications, as a result of which developers have little or no idea about the vulner-
abilities that have crept into the application or the efect that a threat can have on the application.
Educating developers is one of the key challenges of Web application security, as it can have seri-
ous and far-reaching consequences.
3.4.5 Legacy Code
Legacy applications are always a challenge for any organization to contend with. Banks, airlines,
and other organizations sufer from one of the greatest opposing forces against Web application
security: the issue of legacy applications. Organizations have been using applications for several
years for their business operations, way before the Web arrived on the scene and changed the busi-
ness landscape. Mainframe applications, which were the lifeblood for several organizations, have
now become burdensome and cumbersome to operate and maintain. But change is always looked
upon with great skepticism, and in some cases, change is not possible in a short span of time as
these legacy applications have become entrenched in the organization's ethos and have become
ubiquitous with the organization's computer system.
Airlines have an immense problem replacing their legacy systems as their client informa-
tion, booking information, and other mission-critical functions are handled by the legacy sys-
tems, and over time millions of records of data have become part of the system. Changing
such a system would involve changing several aspects. It would involve overhauling the entire
application and replacing it with a new system. his involves porting the existing data onto the
new system, ensuring that the transition is smooth, and interfacing with databases and pro-
gramming languages that have been out of circulation. All this has to be done with minimal
downtime as the airline industry is a 24×7×365 industry, which cannot aford to have a minute
of that time lost.
Security was not an important consideration for the legacy applications of yesteryear. he
reach that applications had then was very limited and the awareness of users to carry out an attack
Search WWH ::
Custom Search