When IT managers consider new software and hardware to protect their companies' web applications from attack, they are obviously concerned about the cost and effectiveness of the implementation.
An open source approach to application security helps to keep costs down while still providing effective security. By following some practical steps companies can build a cost-effective web application security programme by using tools, documents and procedures developed by volunteers from open source organisations such as OWASP and WASC.
OWASP, in particular, is a not-for-profit worldwide charitable organisation focused on improving the security of application software. Its mission is to make application security visible and available to all, so that people and organisations can make informed decisions about true application security risks.
Step 1: Training and education
The first step is to raise awareness among development teams to familiarise themselves with the security concerns. OWASP's Top 10 Risks or Sans 25 Most Dangerous Software Errors, combined with some hands-on training, helps developers understand vulnerabilities that can be addressed by better coding and testing.
Deliberately insecure J2EE web applications are freely available which, in conjunction with an intercepting proxy, can be used to teach web developers how poor coding creates vulnerabilities which can be exploited.
Step 2: Secure coding
Once developers are aware of the security issues, they can start focussing on how to write secure code. A practical way to improve the security is to use enterprise security libraries containing all the security controls a developer needs embedded within the application.
ESAPI (Enterprise Security API) is a free, open source, web application security control library that makes it easier for developers to write lower-risk applications. The ESAPI libraries are designed to be easily embedded into existing applications or any new development.
Documents are also freely available providing practical guidance to developers on how to code securely. These guides cover an extensive array of application-level security topics, from SQL injection to phishing, credit card handling, session fixation and cross-site request forgeries, as well as compliance and privacy issues.
Step 3: Secure testing
Code review and testing can be performed by trained development staff, but the use of tools to automate and support these efforts can make this task simpler and much more effective.
Best-practice penetration testing documents are available for developers to use in their own organisations for testing web application and web service security issues.
Step 4: Secure metrics
Now that developers are building and testing security in their applications they should be encouraged to measure how secure these applications are.
One way to accomplish this is by using an application security standard. The primary objective of standards is to establish a level of confidence in the security of web applications. Such a standard could be internally developed or obtained from external sources and can provide a basis for testing security controls.
Step 5: The road less travelled
Application security evolves over time, adapting to new threats and landscapes based on changing business requirements, which means there is a long road ahead for anyone embarking in this challenging task.
Using free open source tools provided by organisations such as OWASP can help kick-start the process of building secure applications in a cost-effective and straightforward way.
• Fabio Cerullo, CISSP is as an information security specialist at AIB Bank in Dublin.
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².
This was first published in September 2010