Shifting Paradigms: A Fresh Approach to Application Security Frameworks
The gap between hacker threats and suitable security defenses is widening, faster than ever - Forrester Research, August 2010.
The need for security in IT systems is greater than ever as businesses operate in today’s uncertain environment. This need runs the gamut of all aspects of the IT universe — Applications, Networks, Systems, and Databases, etc. Today’s threat canvas spares no aspect of IT, and things that were taken for granted until recently are now at risk unless steps are taken, and this translates into a need for robust security testing frameworks.
Even though security managers realize the need to keep up with an ever-changing landscape of threat perceptions their efforts are hamstrung by two key reasons: efforts towards superior security are undertaken in isolation, and security testing is largely treated as an afterthought towards the end of the software development lifecycle. Rather than a reactive approach as has been the trend in the past, it would make eminently more sense to incorporate the rigor of the Security Testing methodologies before the threats loom overhead.
The critical link in the chain with organizations are now waking up to is for security testing to be built into the Software Development Life Cycle (SDLC) rather than be a retro-fitted activity that begins once a security threat is detected. Integration of security testing with SDLC provides early visibility to security vulnerabilities and defects. This provides sufficient time to deploy remedial measures. This integration involves tasks right from the Inception state all the way to Transition.
Abuse Cases, Threat Modeling and Risk-based Security Testing are some of the activities that need to come in during the early stages of the SDLC creating an effective security perimeter around the application development exercise. As the lifecycle draws to a conclusion, tasks such as Penetration Testing, and finally a continuous evaluation of extant threats and their mitigation plans need to form a part of the plan from the start. Ongoing analysis and review of threat mitigation should form a part of the cycle.
At GSS we help clients build robust Security Testing Framework and so that they mitigate risks before they become risks. For more information on this, visit us at www.gssinfotech.com
