Hi all today while reading some application security news I came across one application security white paper by HP.Some of the content of this article is as follows.

Introduction

Historically, application developers and quality assurance (QA) teams have not focused on security. Why? They haven’t focused on security because we have not asked them to. IT Management typically asks developers to achieve two goals—build innovative features and see that the project is completed on time. For QA teams, the expectation is to see that the application functions as intended and that it can scale effectively and perform under load (functional and performance testing). At no point during the development and QA phases does management typically expect that any real form of security testing will take place. In fact, security testing is often viewed as an initiative that works in opposition to the aforementioned goals, as it can extend the already lengthy development and testing phases. Far too many organizations treat security as an afterthought as opposed to being integrated throughout the development process. In addition, most developers and QA professionals do not consider themselves responsible for application security—assuming that security will be managed while the application is live.

Application Security is a quality issue

Many—if not most—businesses deploy web-based technologies under the assumption that gateway security measures such as firewalls and intrusion detection and prevention systems (IDS/IPS) are sufficient to protect web applications from attack or misuse. This is a dangerous assumption. Web applications, by design, are exposed externally or to predefined internal populations, generally on port 80 (HTTP) or port 443 (HTTPS). A firewall will do nothing to protect a web application from vulnerabilities at the application layer; it can only be used to restrict who can access the application in the first place. IDS and IPS systems on the other hand rely on signature-based rules to detect anomalous behavior. Web applications are custom applications, not off the shelf software components. Due to customization and ever-changing nature of web applications, it is extremely difficult to write IDS/IPS signatures that will do anything more than detect the most basic attacks.

The majority of vulnerabilities in web applications reside in the custom business logic of the application itself. Compensating controls provided by external products are temporary solutions which seek to hide the vulnerability. It is typically only a matter of time before an attacker identifies an alternate entry point or is able to encode an attack in such a manner that a signature-based technology is unable to detect the attack packet. Only by correcting the vulnerable code is it possible to fully protect the application. It is for this reason that developers, QA teams, and the management must share in the responsibility of developing secure code. Auditing a web application either prior to or following release into production simply is not sufficient

to identify all vulnerabilities adequately. Application security must be an iterative process that is applied consistently throughout the development process.

Some of the risks posed by an insecure application are financial in nature and the cost of a single security breach can be significant. It is important to remember that the total cost can be difficult to fully measure due to the intangible nature of many costs. While the cost of labor to remediate the damage would be an obvious cost, damage to a corporate reputation caused by a defaced website or an unavailable application due to a distributed denial of service attack can be much more difficult to measure.

Regulatory risk is another substantial and growing concern. Failure to adhere to a growing list of government and industry regulations can lead to fines, discontinuation of services, and even civil and criminal penalties. The following common regulations all emphasize the need for security, especially at the application level.
Application security—The new frontier for QA

Unfortunately, the availability of application-security testing tools is extremely limited. Existing tools such as static code analyzers or black box testing tools are complex and require security and vulnerability expertise that is rarely available within QA organizations. Businesses need a simplified, cost-effective means to incorporate security expertise into QA processes without impacting production schedules or resources.

Currently, the only solution that meets these rigorous requirements is HP QAInspect software. This innovative testing tool brings application security expertise to QA environments to produce an integrated, highly-automated approach to security and application development. This easy-to-use unification of previously separate processes has built a growing legion of satisfied customers because it recognizes the following business realities:

• Web applications are complex, dynamic creations that span multiple platforms and protocols
• Web applications, by definition, create a security risk because they breach the network perimeter
• Web applications grow in sophistication and number and the potential for critical vulnerabilities grows far faster than discovery or patching efforts can possibly match
• QA personnel, software testers, and developers are not security experts, and security professionals are not QA personnel, software testers, or developers
• Web applications function in a dynamic environment. Security testing must recognize this reality and provide direction for how an application will meet user needs on an ongoing basis prior to the application’s release.

Tags: Application security, security testing