Top 5 Ways To Secure Your Web Applications & Mobile Appsby Patrick Quirk
1. Document security requirements (and don't leave them as a low priority or nice to have!)
Most applications have requirements for passwords, but consider other aspects of the application's security such as:
a. Passes application vulnerability scan with no critical issues.
b. Supporting infrastructure must pass the organization's security assessments with no critical issues (The application layer is just one layer of the technology stack. Ensure the other layers are required to be as secure as your code.)
c. Ensure data collection requirements are limited to necessary data and that the handling aspects of that data such as access, retention and data flow are defined.
2. Include application security testing as part of functionality testing
Since all requirements should go through functionality testing, the security requirements should be no exception. As your organization's QA testers get up to speed on testing more robust security requirements, they may require new testing tools and training on those tools. As your testing team gets up to speed on security testing tools, you may consider outsourcing this function for a period of time and having your QA team actively involved with the testing as a training effort.
3. Perform automated code reviews in additional to vulnerability scans
Whether part of your developer toolbox, functionality testing or 3rd party assessments, automated code reviews look at all of the application code rather than just seeking out vulnerabilities. As a result, they can provide a more granular look at what is really going on with the code.
4. Have 3rd party application security testing performed
3rd party security assessments are a common best practice and that applies to application security testing as well. Consider the following for your 3rd party assessments:
a. Have the 3rd party use different scanning tools than you use internally.
b. Perform 3rd party assessments at least annually, but consider having them performed on each major release or any release impacting data entry.
c. Share positive findings as well as the issues. Celebrate the positive aspects of your security posture with development teams, users and leadership.
5. Act upon the results of internal testing and 3rd party assessments
Testing is only valuable if it feeds back into other processes. Ensure the results of your assessments feed into those other organizational processes such as:
a. Critical findings should feed into issue/bug tracking processes.
b. 3rd party assessment results should feed into requirements definition for the next release.
c. Incorporate approaches used by 3rd parties into your internal testing processes.
Overall, these concepts can be summarized by simply including the application layer in your overall security and risk management programs. As public-facing interfaces, all components of the application and associated layers should be considered. From the infrastructure to the code to the downstream flow of the data, a holistic approach to security will be the most effective.