As the costs of increasing security breaches begin to impact bottomlines, software development firms are debating how early in the development cycle they ought to build in application security.

According to Gartner, 75 per cent of cyber attacks and Internet security violations are generated through Internet applications, and three out of four business websites are vulnerable to attack. Martin Nystrom of Cisco comments that as many as 95 per cent of the Web applications have serious flaws.
Does that ring a bell? For years, application security has been evolving to a stage where it is bound to have mainstream adoption in the software development lifecycle but has not been able to reach that stage till now. Even Gartner endorses this view that continuous attacks on Web applications have made application security an integral part of the software development life cycle.
Generally, application development managers assume that making their software more secure would add to the cost of the tools, and thus would increase the overall expenses. But they fail to understand that the ROI from Web applications largely depends on CIA (confidentiality, integrity and availability). Imagine a case when there is a breach and customer data is stolen-in other words, a breach of confidentiality has occurred. Such incidents would not only lead to short-term financial loss but also to a long lasting reputation loss and a halt to repeat business.

If we take a look at the past few years, numerous websites were hacked, including loopholes being found in even Gmail and PayPal. Hackers even breached the networks of many national secret security agencies of the world. Statistics also throw up some alarming facts. The Web hacking statistics by Web Application Security Consortium (WASC) come as an eye-opener about the rising cases of Web application attacks.

The business drivers identified by these stats list “for profit” as the primary motive of hacking, followed by ideological hacking. In 2007, the website of the chief minister of Kerala was hacked and defaced. The local police contacted the Interpol to help in finding who was behind the website hacking. Later, the Bank of India website was hacked and seeded with a wide, wild array of malware that infected any user running unpatched browsers. Early this year, security researchers, Ismael Valenzuela and later Dancho Danchev, discovered that the Indian Embassy in Spain was serving malware through an injected malicious iFrame. The same problem was found in the Times of India website, as well.

Keeping all this in mind, many analysts predict that the need for application security will grow even more aggressively. Many companies are still living with a belief that a firewall or SSL (secure sockets layer) will protect them from Web attacks; however, that is a complete myth. Once the Web traffic is allowed through a firewall, there is no more firewall left for attacks at the Web surface. And SSL only protects the communication channel and not the application, per se. This is another factor that calls for application developers to integrate the security feature while they are developing software.

Even though application security is highly recommended, there is only one central body that produces guidelines to be followed while setting the security standards of an application. The Open Web Application Security Project (OWASP) is a worldwide free and open community with a focus on improving application software security.

Jeff Williams, chair – OWASP Foundation (USA), shared his views on the need for application security in one of the OWASP conferences held in Delhi, India. He said, “Whether across the globe or down the street, outsourcing software requires a great deal of trust. Nothing will undermine confidence in a software development organisation faster than security vulnerability. Adopting security as one of your core values will not only cut risk and save money, but will also allow you to innovate – creating new applications that require a high degree of trust.”

Security: An integral part of SDLC
Today, application development managers tend to make the mistake of not including the security aspects right from the beginning of the software projects. This turns out to be a costly step for them, as revisiting the security issues and defects left in the initial phases costs many times more to fix if not identified in the beginning. IBM Systems Sciences Institute identified the cost multipliers in the following figure.

Many information security related research studies justify the ROSI (return on security investment) made by many organisations in various development phases. According to MIT (Massachusetts Institute Of Technology), fixing security defects during the testing phase costs nearly seven times more compared to fixing the same defects during the development phase.

It’s a far better idea to treat application security as an ongoing process rather than a one-time effort.