News

Developers, Biz Must Focus Security on Entire App Lifecycle

• By Kathleen Ohlson
• July 18, 2005

Application security must be the top priority for developers and business throughout the product development lifecycle. That was the gist of Symantec’s recent Webcast, “Securing the Development Phase of the Application Development Lifecycle.”

“Developers can’t protect what they don’t see and know about,” says Paul Hinkle, Symantec’s principal security instructor. If companies perform penetration tests after an application is in the environment, it’s too late—costs are going to rise, and it’s harder to fix problems, Hinkle says. “It’s no longer consultants [running] tests on systems, but it’s everybody else with malicious motives that can take advantage [of unprotected applications].

Developers, architects, QA engineers and others must perform penetration tests for all their code, especially any that come from external sources, by testing how a development project performs, responds and handles attacks from malware.

Business must understand—and balance—an application’s purpose and its value to users with an application’s security needs, Hinkle says. They must build applications as a whole, adding security to all layers of an application. If a certain component, such as Web servers, of an application houses security but is changed or removed, an attacker has access to a company’s backend environment, Hinkle says. “All attackers need is one weak link…to make a compromise,” he says.

Users and computers require only the privileges they need to do their jobs, he says. Implementing complex security into apps slows down development, creating more errors and increasing bugs. Complex security also drives users away; if a password is 40-characters long, a user will write it down or make it predictable, weakening security. Hinkle recommends companies use multiple security factors including biometrics.

In spite of developers’ efforts, security measures sometimes fail, especially when advances such as wireless technology circumvent existing defenses. Wireless technology opens up new avenues, even if companies poured money into solid security measures around their networks and built new applications and new ways to access data. If an employee installs an unauthorized access point, all it takes is someone walking by to access a company’s environment.

Business must also validate data input, which is “the most frequently abused piece of an application,” Hinkle says. Attackers send malformed inputs to abuse a system’s functionality, so developers must check whether data is encoded before it’s sent out. Companies must also be careful that error messages are not so confusing they frustrate non-technical users or reveal too much, thereby exposing back-end environments.

“Keep applications simple so they’re easier to test, deploy, maintain and secure against outside threats,” he says.