Today more and more browser application or mobile application leverages third party libraries and open source code in terms of java-script and mobile code. While application development is quicker with third party component, application has increased risk for the presence of security flaws in application. Security flaws get introduced by wrong usage of third party code or already present in the third-party code or by developer in his/her code. This blog introduces security vulnerability at higher level
Security flaws are challenge in consumer app scenario and the challenge increases in magnitude for enterprise application. Any loophole in web application security has potential to allow hackers to gain access to enterprise data. Hence testing web application security is a high priority for enterprise today. Large enterprises evaluate a software products for security vulnerability and prefer to evaluate product that are less prone to security flaws.
With enterprise IT infrastructure comprising of wide range of products across compute, network and storage, application security testing requires significant cost in terms of software and there is need for skilled personnel in security testing. How to evaluate the product for security vulnerability? Who pays for product’s security assessment?
Enterprise do not want to spend due to the risk that product may fail security assessment or satisfying alone cannot lead to product purchase. Product developer hesitates to spend with the risk that enterprise may choose a competitor product product( for reasons), though product satisfies security assessment
In addition, a product developer might know to detect and fix few commonly found and standard flaws and may not be aware of all security flaws present in the product. On reporting of security flaw, developer finds it tricky to find & implement solution to fix the flaw. In addition, no developer can understand IT infrastructure configuration of all enterprises.
Here comes the role of security testing vendors. The enterprise engages security vendor to audit its IT infrastructure and provide recommendation for security perimeter fencing of the enterprise. Now the enterprise pays and uses recommendation to assess and evaluate products for satisfying the security fencing requirements of enterprise.
Publishing security fencing requirements increases risk of enterprise being prone to being hacked for security. Hence enterprise choose to evaluate products certified by known security vendors for standard security assessment.
Security vendor offer different security assessments to product developer in different stages of product development.Once product is assessed and certified by security vendor, product developer is allowed to share certification with interested enterprises. Here are capability what product developer can obtain from the security vendor.
Check source code for security flaws : Any security flaws found earlier in product development gets fixed easilty with less cost compared to flaws found later in development. Here the developer is enabled with capability to test their application code on weekly basis for security flaws.
Training/Consulting in security As explained earlier, product company will find costly to employ security experts full-time and their current developers are not equipped to come with solution to fix security flaw. Hence training in security related courses or availability of security consulting would be helpful.
Check application in staging environment(before production) for security flaws: The product developer may choose to share infrastructure details of staging environment to get application assessed for security flaws under normal working behavior of the application, planned hours and known IT environment. As the time of security attack by the security vendor is known, the staging environment components like firewalls and network elements can be prepared not to raise false security alarms.
- If automation test scripts for product are available, the security vendor can leverage the same to insert security flaw tests in between product feature testing and observe the application for presence of security flaws. Effectively this approach tries to identify security flaws in known working behavior/ use case of the application.
- When product features can be accessed only by login using username and password, security vendor needs valid user credentials to enter the product and identify security flaws.
- The security vendors can be engaged to identify security flaws in unknown working behavior/ use case of the application.
In next blog, we can discuss more on security vulnerability and how are they classified across technology stacks. We will also discuss how application security flaws classified and reported by test vendor and what does enterprise make use of security assessment report of product.