Wednesday, July 23, 2008

Web application security testing tools

Ever heard of XSS and/or SQL Injection? How about CSRF? You should if you are a web application developer. In fact, beyond just knowing what they are, you should be well versed in its countermeasures and make them a part of your day-to-day coding routine.

Unfortunately, these are just a tip of the iceberg and there are many more exploits and vulnerabilities that exist today as web technology advances and attack surface increases. It will not be feasible and practical to know them all, not to mention ensuring every single line of your code to free from them; Just like it is not possible to write code that is bug free.

Web application security is no longer an area that can be ignored or treated as second class citizens. Given the exponential growth of online applications that deal with valuable data (e.g. B2B marketplace, partner self-service apps, consumer ebanking and ecommerce, webmails, online docs and spreadsheets, even online data backup services, etc), the implications (usually financial) of losing them to hackers are not to be taken lightly.

Even if a company's web applications do not contain personal and private data, any defacement due to web exploits can cause loss of customer confidence and/or negatively affect the branding, all of which will ultimately hurt the business.

Having established the need for more emphasis on web application security, what can one do about it? Well, you can:

  1. include the skillset as a requirement in recruiting your development team,
  2. skill up your development team in this area,
  3. create development guidelines/policies that encourage/enforce exploit-safe coding practices,
  4. setup regular peer reviews focusing specifically on web application security,
  5. develop test cases that attempt to flag out possible vulnerabilities.


You can look into acquiring some web application security test tools to offload your development team from some of these worries.

Generally speaking, here are some key benefits that you can hope to reap from using such tools:

  1. Consistency in overall quality of code produced as you no longer depend on skill levels of individual developers.
  2. Quickly and easily satisfy regulatory compliance to well known standards such as SOX, PCI, HIPAA, etc as most tools can run tests against the standards and generate the necessary reports.
  3. Keep up with the latest threats via the auto update feature in the tools.
  4. Include the security tests as part of the QA cycle (test planning, execution, even defect tracking).

Here in Sony, I am leading the initiative to explore and evaluate the product landscape with the goal of creating a Centre of Excellence (covering both governance and service provisioning) for web application security to support our internal IT operations.

Over the next couple of weeks, I will be meeting up with the various vendors to understand their offerings as well as evaluate their strengths and weaknesses in depth via PoCs.

No comments: