Application Security 101
You've hired someone to build the Web-based application for your business' online home, but do you know how they plan to lock the front door? Long-neglected by companies of all sizes, application security are the new buzzwords in business. Unsecured apps allow anyone to walk right in and make themselves at home -- while vandalizing your business, stealing big bucks, and creating off-line downtime.
And as large companies batten the hatches, hackers look for easier targets. 'The path of least resistance may lead them to small businesses," says Blake Frantz, a consultant with Leviathan Security Group Inc., a company specializing in application security, based in Westminster, Colo.
Most security loopholes are 'simple programming mistakes,' says Jeff Williams, chairperson of the Open Web Application Security Project (OWASP), a non-profit organization educating businesses and developers about the risks of unsecure apps. 'They don't teach this stuff in schools. It's the dirty underbelly of the software industry.'
Here's how to implement application security from design to implementation, and get the strongest castle for your dollar.
Sketch out scary scenarios. According to Williams, business owners should ask themselves: 'What are the worst things that could happen to me?' Are you worried about downtime? Customer accounts or database corruption? Regulatory non-compliance? Bringing your concerns to the table ensures that every party knows what's on the menu, whether you're still seeking a developer or would like to review current code.
Know top problems. Check your concerns against the OWASP Top Ten, which lists exploits common in Web-based applications. Frantz says serious issues with Web apps include cross-site scripting and SQL injection attacks. Cross-site scripting allows malicious users to take over users' browsers, while SQL injection exposes database contents, allowing hackers to read, change, or destroy your database.
Secure your trusted developer. Seek recommendations when hiring an application developer. Otherwise, you're depending on an individual, yet know little about their background. Ask potential hires or firms if they're familiar with the OWASP Top Ten, and how -- not whether -- they build safety measures into applications. Seek developers that attend RSA or Black Hat conferences, or are involved in their local chapter of OWASP.
Design Documents. Before the developer starts creating your Web storefront, request an outline for preventing your worst-case app-related scenarios. Williams proposes focusing on how the developer deals with cross-site scripting, authentication, and access control. Check his or her answers against the OWASP Top Ten. Often, security speak is overlooked during initial design discussions, Williams says. 'So the OWASP legal project created sample language, to serve as a guideline for that conversation,' he adds.
Appraise your apps. If you're unsure about your current application's weaknesses, consider contracting a short-term consultant to look for code loopholes. Alternatively, documentation reviews offer good value, another argument for solidifying security requirements before the developer's work begins.
As the OWASP site points out, security isn't a one-time event. Map out strategies before, during, and after development, so your business stays safe.