You build applications

We'll handle security

How to develop secure web applications

Security, and especially application security, was and is a severely underrepresented topic in most computer science or computer engineering curricula. This leaves software development companies hiring developers who usually have had little to no security training and are therefore unable to effectively identify and mitigate security vulnerabilities in their own software. Meanwhile, the rest of the world is expecting the exact opposite.

Many articles on this topic will provide you with one or two practical answers or best practices, and these articles usually hold some truth. However, while most advice that you can find on the web isn’t necessarily incorrect, it is almost never a bulletproof solution when it comes to developing secure web applications that will hold up during a penetration test or against a real hacker. The fact of the matter is that all this advice and these best practices won’t help the developer to implement them if the developer doesn’t know why these are best practices or why other practices would create a security vulnerability.

At CAST Company, our mission is to ensure the security of your application – your security is our responsibility. We have created a Continuous Application Security Testing (CAST) service that covers the following four important pillars of secure application development, and this service can easily be bolted into your workflow without disturbing your current processes.
1. Educate on application security
  This bullet point seems obvious, but it is quite often crossed off the yearly budget because it seems too expensive at first. Properly educating developers on the ways that common security vulnerabilities are exploited by hackers and how these vulnerabilities can be avoided is the most important part of any mission towards secure web applications. To effectively educate a development team on security, a security specialist should be part of this team. Who is going to educate who if no one on the team possesses this knowledge? A one-day training session about common vulnerabilities is not going to cut it.
2. Get the right person for the job
  Every job requires a different skillset, and although some people can be very skilled at multiple things, there is a limit to the number of things any one person can excel in. The responsibility of assessing the security status of a web application should be given to an application security specialist, not to an application development specialist, because those are two very different fields of expertise that are often assumed to be the same.
3. Apply defensive coding strategies
  Don’t set yourself up for failure. Today’s web applications are usually very complex beasts, and it’s easy to overlook a small detail as a developer. These overlooked details can quickly become security vulnerabilities. Therefore, you want to build in safeguards that will notify you when you’ve overlooked something. The most straightforward example of this is for authorization checking mechanisms. The functionality should be built in such a way that no one can access the resource if the developer did not specify authorization requirements; that mistake will be noticed immediately during testing. Unfortunately, most authorization checking mechanisms will allow everyone if no requirements are specified, and who is going to notice that? It works fine, right?
4. Continuous testing
  No one is perfect, and everyone makes mistakes. This is true for everything. Testing new and existing functionality thoroughly after every change not only benefits application security but also helps to deliver an overall more robust web application. By security testing (automated and manual) the web application during a development iteration or sprint, vulnerabilities can by identified at an early stage, making it much easier and cheaper to resolve them.

This all sounds like a lot of work, and it is. But it is still a lot less work than fixing a vulnerability once it has been released into production. A defect that is identified during design usually costs 30 times less to fix than one that is identified in a released product.

Source: NIST - The Economic Impacts of Inadequate Infrastructure for Software Testing

Good application security specialists are hard to find these days, and if you are lucky enough to know one, there will be at least 5 recruiter e-mails in his or her inbox by the time you finish reading this article. What the CAST service offers is the possibility to add an application security specialist to your development team who will take on the responsibility of identifying vulnerabilities and educating the developers on your team about the causes, risks, and mitigation measures for these vulnerabilities. This way, the developers get educated on the job, and production can continue.

The security practice in general is currently very focused on identifying and mitigating risk. This risk, however, is the result of vulnerabilities that exist in applications. Thus, if we really want to eliminate the risk, we should focus on the vulnerabilities that introduce the risk in the first place. We should fix the problem at its core, by educating the creators of these applications and investing in proper application security.


We love to show off our technology so, invite us for a demo! Please leave your details below and we'll get in contact with you as soon as possible.

Or you can always give us a call at +31 (0)10 8402688.