Application security is no accident

Rooting out application bugs begins at the code level.

Web applications are among the easiest and most popular ways of injecting innovation into everyday business processes. From convenient browser extensions to dynamic collaboration utilities, companies are continuously bringing new programs into the fold. But in their striving for state-of-the-art apps, too many firms are allowing security to be an afterthought.

In a time when data breaches and denial-of-service attacks seem to be a daily occurrence, Computerworld contributor Jerry Hoff believes companies must take a much more proactive stance in assuring the security of their application inventories. The fact that a firm has been lucky enough to avoid digital danger so far should not necessarily be taken as validation of their defensive prowess.

In reality, most are addressing only a fraction of their potential vulnerabilities, trusting developers to handle the rest. But many times, crucial considerations are getting lost in translation.

“Developers frequently have the assumption that all the security must come from the network side – firewalls, SSL, server patching, et cetera,” Hoff wrote. “Only a handful of people in each organization realize that web applications’ security lies within the code.”

While technical tools are an essential component of an effective layered security strategy, so too is developer oversight. Whether apps are being created in-house or in a third-party shop, application architects must have a clear understanding of how their handiwork will impact future functionality and integrity.

Educated developers, safe apps
Successful application developers have been drilled in making apps work under the most stringent performance demands. However, keeping their finished products safe from unforeseen external attacks isn’t always on the agenda. When it comes to getting an application out the door on-schedule, or performing a third round of penetration testing, it’s plain to see that app architects will prioritize the option which directly correlates with their paycheck.

To accommodate the development team’s need for speed and their sponsor’s security expectations, standardization may be crucial. According to TechTarget, development frameworks that automate some aspects of secure coding have been gaining approval from both sides in recent years. With industry associations and some noble corporations independently and collectively contributing to secure code libraries, application control has suddenly become a more approachable task.

These resources will be of limited valuable, however, unless developers understand their functional implications. As a result, Hoff encouraged companies to focus on staged application security training frameworks which rely on easily digestible lessons that are clearly mapped to the task at hand. Instead of overwhelming architects with education en masse, a more gradual and continuous approach will more likely improve operational outcomes.

How stringent are your application security expectations? What resources do your development teams consult to inform their efforts? Let us know in the comments section below!

Matt Williams

A self-proclaimed ‘tech geek’, Matt has worked in technology for a decade and divides his time between blogging and working in IT. A huge New York Giants fan, when not watching football Matt gets his game on playing Call of Duty with his friends and other tech bloggers.