Today, Web applications present significant risks to information security.
Industry experts state that 75% of all attacks are directed at the Web application
layer and two-thirds of all Web applications are vulnerable.
Although organizations recognize the need to address Web application security,
most lack internal processes for performing vulnerability assessments and resolving
security issues. Many organizations perform vulnerability assessments long after
their Web applications have already been made available to their customers.
Often, these assessments are one-time engagements performed by a third-party
team. This, of course, does not help when a Web application is updated frequently.
Other organizations have in-house security teams that perform periodic audits.
However, these teams are typically small and are overwhelmed by the number of
applications that they need to test.
To address the Web application security problem, vulnerability assessment
has to be integrated in the software development lifecycle (SDLC). This means
that the Development and Security teams must work together to ensure the security
of the applications being developed. Security testing must be performed during
the different stages of the SDLC, just as functional and performance testing
are.
The practice described here proposes a model for collaboration between the
Security and Development teams within an organization. |