Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators are much better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment? Glad you asked.
- Teach yourself about the OWASP Top 10 Project. Use this information to create an ongoing workshop for your developers to learn these concepts and be better prepared to avoid them. Meet with your developer and quality assurance teams monthly and review one of the categories each session. With the prevalence of virtualization solutions available, it will be easy to create an environment for them to test these concepts from the comfort of their own cubicles.
- A most excellent pre-configured platform to use by your developers and quality assurance teams is Samurai Web Testing Framework (WTF) on a virtual machine. This free linux distribution is purpose built for web application penetration testing, includes numerous tools and is maintained by Kevin Johnson.
- Integrate at least one component of your information security program into each step of the Software Development Life Cycle (SDLC). The key is to get to the point where the developers seek you out. This may have to involve bribery, staying late with them and an occasional Starbucks run, but this partnership is very possible to achieve with some effort.
- An excellent resource for your development team is the Cross Site Scripting Prevention Cheat Sheet created by Robert “RSnake” Hansen. This listing has numerous code samples that can be used by your team to determine if your site is subject to these attacks.
- Look for ways to avoid the 25 Most Dangerous Programming Errors published by Mitre and SANS. Categories of these errors include Insecure Interaction Between Components, Risky Resource Management and Porous Defenses.
- Institute a peer review program where code is reviewed before it is published by a fellow developer. Consider implementing a nominal reward for each security issue identified before it is released into production.
Using these very cost effective techniques will go a long way to increase the security posture of your applications.