In a world where we are fast moving towards e-commerce and business is happening over Web/Internet, security is an area of major concern for all kinds of applications B2B, B2C, or C2C because of the nature of the HTTP, which poses certain security pitfalls. Technology, languages and API make for interesting discussions, but Application Security is a topic which remains one of the most talked about. There has always been a race between positive thinkers (Implementers) and Negative thinkers (Hackers).
Whenever we start any project we usually think about its functional requirements, target segment, etc. There has always been a need to think seriously about Security requirements as well. Similarly, when we undertake development and QA, the major thrust is on feature implementation and functional testing. It is not that functional requirements should not be given importance, but we should give equal importance to security as well.
Security breach or breakdown of system due to security issues can directly and indirectly lead to
- Loss of new business opportunity
- Loss in existing business.
- Loss of credibility.
- Losing competitive edge over the competitor.
and all these ultimately result in monetary losses.
Security significance across Project phases
One of the recent examples is the failure of an online pre–ordering system of one of the world’s biggest telecom service provider. The online system has been down for some days because of security issues leaving a monetary impact, and most importantly an impact on credibility.
Security is a continuous process and ends only when a system expires. Ideally speaking, to successfully identify and resolve all the security issues within an application, we have to treat the security as part of the application SLDC itself and not as a separate entity i.e. we should integrate security into SDLC.
Securing applications requires a combined effort in all areas like requirement gathering, application design, server management, network management and Security Auditing . As threat landscape for applications keep changing so we should perform Threat modeling, Security Auditing and security reviews on regular basis followed with security policies update to make system safer and compliant with Industry standards.