This post has been syndicated from Peter Benson’s personal blog, “From The Source”
This is the third in a series of where Source Code Scanning fits vs. Application Scanning. This time I’ll focus on Development vs. Operations.

One of the issues that I face on a daily basis is the attitude that web applications are “presumed” secure once they are developed, as a lot of people assume that their code is secure, even if large parts of their code are copied in from other sources. So the first real time that the application is exposed to security testing is when it goes into either a pre-production environment, or worst case, once it has gone live. Sometimes not even then.

Anecdotally, we have spent a lot of time working on open source software, including code that has been worked on by a lot of very knowledgeable people, and we are still finding interesting vulnerabilities. I know that a lot of implementations of these systems are not being tested when they go live, so it is likely that there are way too many untested and unproven web sites out there.

Seriously, the only way, and the most cost effective way, is to test your code while you are building systems, not waiting until the end (or never!). This way the code will be better, more secure, and costs a heck of a lot less than if someone finds your vulnerabilities once the system is out there and exposed.

Once your application has been deployed into either pre-production, or production, by all means use Application testing tools, and penetration testing, to prove the security of the deployed implementation. But this testing should be a back stop, and NOT the first time that security is actually addressed.

Oh yeah, if you then make changes to your web applications, either maintenance releases or new functionality, test your source code again. I get really concerned sometimes at the number of times a web site gets changed without being tested again. Security and exploits are also evolving, and what was secure last month is not necessarily secure this month. Either in operations or as a part of your regular release development, test your systems!

Operationally, layer your security with active management systems such as Firewalls and IDS, implement a vulnerability and configuration management system, and verify your security over time with application testing and manual penetration testing.

Want to be secure? The above is a lot more likely to both get you there, and to keep you there.

This entry was posted on Sunday, July 5th, 2009 at 6:36 am by Admin and is filed under Blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.