Security Zone: An open source approach to web application security

By following some practical steps companies can build a cost-effective web application security programme by using tools, documents and procedures developed by volunteers from open source organisations such as OWASP and WASC.

When IT managers consider new software and hardware to protect their companies' web applications from attack, they are obviously concerned about the cost and effectiveness of the implementation.

An open source approach to application security helps to keep costs down while still providing effective security. By following some practical steps companies can build a cost-effective web application security programme by using tools, documents and procedures developed by volunteers from open source organisations such as OWASP and WASC.

OWASP, in particular, is a not-for-profit worldwide charitable organisation focused on improving the security of application software. Its mission is to make application security visible and available to all, so that people and organisations can make informed decisions about true application security risks.

Step 1: Training and education

The first step is to raise awareness among development teams to familiarise themselves with the security concerns. OWASP's Top 10 Risks or Sans 25 Most Dangerous Software Errors, combined with some hands-on training, helps developers understand vulnerabilities that can be addressed by better coding and testing.

Deliberately insecure J2EE web applications are freely available which, in conjunction with an intercepting proxy, can be used to teach web developers how poor coding creates vulnerabilities which can be exploited.

Step 2: Secure coding

Once developers are aware of the security issues, they can start focussing on how to write secure code. A practical way to improve the security is to use enterprise security libraries containing all the security controls a developer needs embedded within the application.

ESAPI (Enterprise Security API) is a free, open source, web application security control library that makes it easier for developers to write lower-risk applications. The ESAPI libraries are designed to be easily embedded into existing applications or any new development.

Documents are also freely available providing practical guidance to developers on how to code securely. These guides cover an extensive array of application-level security topics, from SQL injection to phishing, credit card handling, session fixation and cross-site request forgeries, as well as compliance and privacy issues.

Step 3: Secure testing

Code review and testing can be performed by trained development staff, but the use of tools to automate and support these efforts can make this task simpler and much more effective.

Best-practice penetration testing documents are available for developers to use in their own organisations for testing web application and web service security issues.

Step 4: Secure metrics

Now that developers are building and testing security in their applications they should be encouraged to measure how secure these applications are.

One way to accomplish this is by using an application security standard. The primary objective of standards is to establish a level of confidence in the security of web applications. Such a standard could be internally developed or obtained from external sources and can provide a basis for testing security controls.

Step 5: The road less travelled

Application security evolves over time, adapting to new threats and landscapes based on changing business requirements, which means there is a long road ahead for anyone embarking in this challenging task.

Using free open source tools provided by organisations such as OWASP can help kick-start the process of building secure applications in a cost-effective and straightforward way.

• Fabio Cerullo, CISSP is as an information security specialist at AIB Bank in Dublin.

Security Zone

Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².

Read more Security Zone articles >>

This was last published in September 2010

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.