The habit of thinking about IT security only at the end of the development of web applications is not sustainable. Cyber attacks in the media are putting companies under increasing pressure to improve their security measures. In business areas such as banking and finance, where IT security is particularly important, the situation has already improved, but in many places the old patterns remain.
Changes to web applications that need to be made at the end of a project for security reasons not only come too late, but become more costly as the project progresses, especially if they need to be implemented after the applications are deployed. The best approach to cyber security is therefore to integrate security throughout the application lifecycle. This starts with the development project and covers all processes from deployment to retirement at the end of the lifecycle.
When considering the entire lifecycle of an application, the running costs amount to approximately 15 to 20 percent of the initial application development project costs incurred for operation and maintenance alone per year. In addition, there are the additional security changes, which, if they are extensive, require a change project of their own. This is the total cost of ownership, regardless of the functions or development methods provided (e.g. waterfall, agile). Therefore, if security is not integrated from the start, development costs and operational risks can explode.
Does everyone need to become a security expert?
More security in web applications requires a fundamental change in strategy, especially when IT security is left to network or infrastructure departments.
Developers are just as responsible for the security of their web applications as network and infrastructure departments or the security officers - only on a different level. Robust web application security is difficult to achieve and must encompass all areas.
The following are just a few of the reasons why this is so difficult to achieve:
- Application security is by far the most comprehensive area of IT security. Some parts of it are complex and the right execution requires professional IT security knowledge.
- It is impossible to train all application developers, testers and technicians to become IT security professionals. It should also not be their focus.
- Application security can and must be implemented in different ways and at different levels.
- For some applications there are long release cycles for reasons of dependency, so no quick changes are possible.
- Testing and code reviewing is a tedious task that takes a lot of time. Additional security testing and code checking does not make this any better.
- Infrastructure and operational departments do not want to be involved and are responsible for application security. Of course, they don't want to implement these security measures either - at least not too strictly, as this would be too much intervention.
- Application developers and business owners mistakenly assume that IT security is already covered by the infrastructure. Misunderstandings based on unconfirmed assumptions are not uncommon in IT departments, which is unfavorable on important issues such as cyber security.
These issues need to be solved intelligently. This means that DevSecOps must clarify who is doing what at what (security) level. DevSecOps describes the mindset of integrating security into development and the operational lifecycle: DevSecOps can help development achieve goals more efficiently and help management meet the need for an appropriate, efficient organization. The buzzword visually conveys that a convincing DevSecOps way of thinking is necessary for secure application development and secure operation in the area of cyber security.
Supplementary information on Configuration Staging
Managing configurations that are largely the same but differ in some respects is tedious and error-prone. Such partially overlapping configurations usually exist between different environments (e.g. test, integration and production) or between multiple clients that use the same service differently. With certain solutions, the common attributes of different configurations can be separated from those that are only valid for one environment or one client. When changes are imported, the common basis can be updated automatically, while the special attributes are retained.
Support DevSecOps - with a versatile WAFdurch eine vielseitige WAF
A good reverse proxy is an important factor for the security and also the deployment of web applications. By using a web application firewall as a security framework with staging support (see box "Configuration Staging"), these security standards are directly available to development and operations staff, which increases efficiency. The comprehensive security is thus implemented upstream across all applications. The next step is to define the DevSecOps responsibilities with regard to the actual implementation of these security standards within the company.
- Developers should not create new complex security features, but reuse different standards such as centralized authentication and single sign-on, access control, secure session and cookie handling, URL encryption, form protection, browser fingerprinting, and more.
- Developers should only develop application-specific security features (data access control, application business flow and transactions to protect application APIs, exceptions, etc.) that cannot be reused and focus on improving their code quality (security testing, code verification, etc.).
- At the operational level, WebApplicationFirewall capabilities can be used to centrally address newly discovered vulnerabilities or adjust the level of security for all or relevant applications.
- For infrastructure, a web application firewall can be used as a secure reverse proxy for DMZ security and application delivery (load balancing, failover and high availability, network isolation, URL redirection, content revision, etc.).
- Thus DevSecOps leads to a uniform security infrastructure for web applications and to the development of secure web applications. Such a framework strategy can be implemented locally or in the cloud.
The section above provides just one example of how DevSecOps for cyber security can be implemented through technology and better organized interaction. This mindset can also be applied to other technologies or products to embed DevSecOps seamlessly. However, there are other aspects such as IT and business strategy. Elements that are difficult or time-consuming to implement should be reused. Therefore, cyber security should be combined with efficiency.
Enterprise Security Architecture for Web Applications
The Web Application Firewall example described above is particularly interesting because it includes a secure reverse proxy that is versatile enough to cover many other aspects of Web application deployment.
Using a secure reverse proxy as a central entry point for all web applications can become strategic if it is integrated into an overall concept for cyber security. Such an overall concept would be the implementation of an enterprise security architecture for all web applications connected to the Internet, with many positive implications for the strategy in terms of business applications, IT management and IT governance.
By forcing developers to reuse difficult-to-implement elements and centrally deploy standardized functionality, not only cyber security but also cost-effectiveness in the secure execution of web applications improves.
About the author
Dr. Martin Burkhart is Head of Product Management at Airlock. After studying computer science at ETH Zurich, Martin Burkhart first worked as a software developer before disserting at ETH on anonymization of network data and applied cryptography for collaborative security protocols. At Ergon, Martin Burkhart has led IAM integration projects since 2012 and has been responsible for product management of the Airlock Secure Access Hub since 2013.