When information warfare experts want to set the proper base line for whats "secure," they point out that the only completely protected machine is one thats disconnected from the network and preferably turned off. Application development security begins from an equally useless zero point: The only completely secure application is one that accepts no input from the outside and offers no access to data.
Everything beyond that null-and-void level of IT system function demands a balance between business benefit and information risk. That balance is getting more difficult to define, let alone achieve, as the expectations of application users rise while the risk environment becomes continually more dynamic.
Two factors intensify the hazards facing enterprise development professionals. First, the growing dominance of Web-enabled applications exposes developers finished products to a vastly larger army of attackers. Second, the rapid development cycles of customer-facing or supply-chain-partnering software mean that most new code is never really finished at all.
"People are continuously updating the code—theres no way to do a full code review," said John Dickson, a partner in Denim Group Ltd., a development consultancy based in San Antonio. "Youd have three or four reviews every week."
Past development practices—with almost seasonal cycles of code specification, design, development and review—do not have a sterling reputation for producing secure results, but at least they presented only a few discrete points each year at which new vulnerabilities might be expected to appear. The continuous development of a Web site—or the kaleidoscopic, continual reshuffling of Web services constellations—must fundamentally change the security posture of the enterprise development team.
Security must be built into applications from the lowest level upward, rather than applied as a hard outer shell, because a focus on perimeter security ignores the fact that many intruders are already on the inside.
In fact, more than 80 percent of companies have detected system penetrations of internal origin, according to data compiled by insurance brokerage and risk management company Arthur J. Gallagher & Co., in Itasca, Ill. This means that applications performing their normal function, at the behest of authorized internal users, must be viewed as dwelling in hostile territory rather than in trusted environments.