Monitor the process

By Darryl K. Taft  |  Posted 2008-03-14 Print this article Print

"The reality is that even if your application fails 99.9999 percent of the time in a secure way, some hacker out there likely will uncover that one-in-a-million failure mode to exploit your application," he said. "And that is very difficult to test for."

However, vigorous testing must be done nonetheless, say experts.

"Components of an application need to be tested separately and also again together," Weider said. "A part of an application could be secure on its own, but when code created by another person [is introduced], a new security vulnerability could be created. Security can never be taken for granted."

Moreover, Weider said, there have been some incredible advancements in the quality of security-testing tools in the last several years. "Used in conjunction with good process and training, tools can significantly reduce the cost and time required for security testing," he said.

Step 5: Monitor the process.

Lastly, compliance with security policies should be monitored on an ongoing basis.

"Monitor compliance to security policies using an automated infrastructure," Parasoft's Kolawa said. "At a scheduled time each night, the automated infrastructure should retrieve the latest code modifications from source control and determine whether that code complies with the security policy. If a problem is found, the developer who introduced it should be notified within his or her IDE [integrated development environment] to promote fast remediation."

This step also includes security code reviews and maintaining security vigilance as applications move into production.

"No development project, no matter how well-designed or executed, will remain 100 percent secure 100 percent of the time if left to its own devices," said Andrew Zaikin, a security expert and project director at outsourcing specialist Exigen Services.

"Watch production, read production logs as they are being developed, and stay involved on a consistent and continual basis," Zaikin said.

Darryl K. Taft covers the development tools and developer-related issues beat from his office in Baltimore. He has more than 10 years of experience in the business and is always looking for the next scoop. Taft is a member of the Association for Computing Machinery (ACM) and was named 'one of the most active middleware reporters in the world' by The Middleware Co. He also has his own card in the 'Who's Who in Enterprise Java' deck.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel