Web app security – Where do I start?

I am on a lot of calls with prospective clients, supporting the sales effort. Many of the people that I speak with understand that they need to do something to improve the security of their applications. But they usually do not know how to proceed or what to do. One of the things that we do is to help clients identify where they are currently, in terms of security. This is very important since this will dictate the amount of time and resources that the client will need to dedicate to securing applications.

The most important thing to keep in mind is

Do not bite of more than you can chew.

These projects will usually involve different teams: development, QA, system admins, network security, etc. Even with the best relations between the teams, it is usually tough to figure the best way to do things. the smalles things can be huge problems. The teams’ priorities may be different, schedules may not work out and if you add personality clashes, you end up with a project that is doomed to failure.

In my experience, forcing things down from the top (CISO or some VP) usually does not help. Everyone will work with you for a while and once the executive moves on to other tasks, their co-operation will start lagging. One of the most important things that we try to do is to get buy-in from all the involved parties.

One way is to identify things that would help them meet their goals. For example, for the network security team, it could be that having more secure applications will mean that they don’t have to install an extra layer (meaning more work over time due to maintenance) of security such as a web application firewall(WAF). For the developers, it may be that they do not have to spend more time fixing security issues (some of which may bring them to the attention of the management for the wrong reasons). Whatever it is that you do, the pill has to be made sweeter.

The next step would be to identify one or more applications and do either a vulnerability assessment or a penetration test. Again, it is important to pick the application(s) properly. You have to consider the size, criticality (operations and data) and typical users among other things.  The testing can be done internally or by a third-party consultant. A lot of clients that I have worked with have reported that when issues are reported by a third-party, it is has more weight than if an internal person/team reports them.

The issues that are identified will show you what you need to do and how much effort it will require. Other factors may also have a say in this. There may be budgetary constraints, deadlines to meet, available resources, etc. Usually, it is better to prioritize the remediation tasks. What are the Top 5 issues that you have to fix. Draw up a plan to fix them and then tackle the next items in the list.

In summary, implementing a security initiative within an organization can be a very tough task. It is important to remember the following things:

  1. Get buy-in from all the involved parties
  2. Identify one or more applications for an initial review
  3. Prioritize the identified issues
  4. Tackle the issues in small batches