The security of software, especially web-based applications, is becoming increasingly important. On the one hand, the number of successful hacker attacks is constantly increasing, on the other hand, cloud-based software is becoming more and more common, and with it the volume of data exposed to hacker attacks or leakages.

A recently published TOP5 list of the world’s biggest hacks in an article of the CNBC shows that even the big players of the digital economy struggle to make their applications hacker-proof and to implement means for prevention of data loss. The TOP5 ranking shows above all that we are experiencing data leaks on a tremendous scale:

Data Security is therefore high on the agenda of CIOs and gains relevance in software development projects – regardless of the utilized technology stack. Product managers, IT project managers and also project managers at commissioning companies must have a good understanding of IT security, they should be familiar with security architecture, architectural security review and secure coding guidelines.

The How-to-Guide for secure software: specifications, processes, technologies, people

The speed of application development, upgrades, new releases in the digital economy may appear dizzying sometimes; following DevOps principles new releases are put into production several times a day, in some companies (such as Amazon) by the minute. It is obvious that under these conditions special efforts must be made to ensure sufficient QA, especially with regard to application security.

Especially larger companies resort to so-called hacking events, where white hat hackers and security experts are invited to literally hack a software, i.e. to uncover security holes; usually so-called bug bounties are offered, from a few thousand Euros up to over 100,000 Euros. Depending on bug finding. But a hacking event is just the icing on the cake of a security strategy. The fundamental pillars of your security strategy should be 4 factors: technology, people, processes and specifications.

Technology

From a security point of view technology is about the fact that developers no longer have to implement / code each and every security control from scratch. Software developers can use third-party security components (e.g. single sign-on), and many frameworks offer security features (e.g. Angular JS for web development).

Besides, so-called SAST Tools are available to the developer or security tester; this abbreviation stands for Static Application Security Testing: These tools analyze the programming code for weak points. Well-known tools on the market include HP Fortify or Checkmarx.

Then again, DAST tools (Dynamic Application Security Testing) are used to carry out penetration tests. You’ll find numerous (commercial) providers, but also OpenSource offers such as the OWASP ZAP (this tool is one of the most active Open Web Application Security projects).

Gartner 2019 Magic Quadrant for Application Security TestingGartner 2019 Magic Quadrant for Application Security Testing

people

What use is the best technology, if software developers or quality engineers/testers don’t know these tools or don’t know how to use these tools properly? Building up competence in the development of software with high application security is therefore key to developing secure software. It all starts with the awareness training for security risks. As a next step, (role-)specific know-how is then required:

The software architect is responsible for the overall security architecture. Alas, it’s a fact that a large share of security gaps in today’s applications can be attributed to design errors. In recent years, there has been a trend towards Cloud-Native applications that come with a microservice architecture (that replace monolithic applications). This poses a new challenge for IT security. Just to give one example, the requirement to manage trust relationships between different microservices and containers arises, because at the various interfaces between microservices the question of whether a user is a trustworthy user must always be clarified. Software design is also about consistently implementing the principle that confidential data should not be stored unnecessarily (compare PCI Data Security Standard).

Software developers, on the other hand, must be aware of potential vulnerabilities in software and know the methods used to exploit such vulnerabilities. To prevent automated attacks (“brute force”) on logon screens of Web applications, the total number of logon attempts can (or rather: must) be limited. Incorrect logon attempts should be logged. And – to stay with the example – weak passwords should be prevented altogether by ensuring that the application enforces minimum requirements for password length and complexity (compare NIST 800-63).

Test engineers must be familiar with SAST and DAST tools. In addition, testers need to be trained for specific attack scenarios, such as the XXE attack, which is about upload of malicious content on the event of XML file uploads: A manual code review is a proven method for identifying (and then fixing) XXE risks; identifying XXE risks using DAST tools requires extra training for testers.

Software architects, software developers and testers nowadays have access to extensive information resources on the Internet. In particular, IT professionals can make use of extensive checklists, cheat sheets, and the like from the OWASP Foundation; the Open Web Application Security Project is an open community that was founded in 2001 and has since set de facto standards in many areas of application security.

Processes and specifications

In order to systematically (!) implement these de facto standards in application development, processes and specifications are required. These include Secure Coding Guidelines, but also specifications for testing and release processes.

Companies can use the Application Security Verification Standard as a guideline or starting point (developed by OWASP). It offers a comprehensive framework of “security requirements and controls that focus on defining the functional and non-functional security controls required when designing, developing and testing modern web applications and web services.”. It includes comprehensive recommendations, best practices on topics such as user authentication, session management, data protection, encryption and more.

Application security in your development project

.

In principle, application security should explicitly be part of the requirements. This could look as follows.

Definition of detailed technical requirements for application security: As already described, the organization OWASP provides numerous guidelines – from the Application Security Verification Standard to the TOP 10 Most Critical Security Risks for Web Applications. The client organization that requests software development can include or refer to standards of particular relevance in the requirements. However, this requires a good technical understanding, it may even require code review which is quite uncommon in practice.

A simpler (and comparatively less expensive) way is to define in the requirements that a penetration test must be successfully completed with one or more defined tools

In the case of particularly security-critical web applications, one can go one step further and commission a specialized service provider to run a penetration test. Service providers are for example touringsecure.de or 8com.de. An example report of such a professional PEN test can be found at here.

Sebastian Zang
Author

The author is a manager in the software industry with international expertise: Authorized officer at one of the large consulting firms - Responsible for setting up an IT development center at the Bangalore offshore location - Director M&A at a software company in Berlin.