Application Security - An Inside Story - TCS
Application Security - An Inside Story - TCS
Application Security - An Inside Story - TCS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
n<br />
n<br />
n<br />
n<br />
n<br />
n<br />
n<br />
n<br />
n<br />
n<br />
Architect/Designer<br />
GUI designer<br />
Functional testers<br />
Performance testers (optional)<br />
<strong>Security</strong> testers (optional/non-existent)<br />
Network administrator/IS team<br />
Quality assurance<br />
Hosting server/deployment team<br />
Compliance team (if any)<br />
Other third party vendors (if any)<br />
So among the above who is responsible for security of the application? A consistent answer to this<br />
question is ‘Not us’. The classical SDLC does not factor in security in its testing phase, testing is implicitly<br />
known to be functional, performance is factored in only when asked for and security is ignored with over<br />
the top optimism of ‘Our application will not be attacked’. <strong>Security</strong> is passed in the name of following<br />
project or customer specific best practices on coding which in reality does encourage writing code in a<br />
manner to minimize server or other software/hardware resources but does little to encourage writing<br />
code in a secure manner. The owner or the sponsor is not necessarily worried about security unless<br />
he/she has the requisite budget, though he is accountable for any subsequent security breaches. The<br />
developer is under pressure to conform to the best practices coding standard and looks forward to<br />
having the minimum functional issues reported against his specific module or pages. All other<br />
stakeholders conveniently blame it on the developer and this ‘passing the buck’ game continues<br />
throughout the life-time of the application.<br />
So who needs security is not answered easily, however when it is needed is beginning to throw up some<br />
interesting trends. The deployment team or the hosting server team nowadays needs a security<br />
assessment for applications to be hosted on a particular server and that has got the owner of the<br />
application to commission a last minute security scan, almost always, 8-24 hours before the deployment.<br />
The owner has no time and budget to get this done, so it gets done somehow by somebody! This<br />
marginalizes the chances of the application withstanding any future attack, be it by a rookie or a pro.<br />
Let’s look at assessment options for the application owner/team.<br />
n<br />
n<br />
n<br />
n<br />
Project’s own security team<br />
The IS team<br />
Various security teams in the organization<br />
Third-party vendors from outside the organization<br />
7