How much time do you usually spend securing a new system? Does security play a major role in your software architecture? How much security is enough?
Securing web applications traditionally consists of two components referred to as authentication and authorization. Authentication is wrapped up in the log-in process, during which your system needs to identify the user or other system attempting to gain access. Application developers will create log-in pages or leverage Single Sign-On solutions to address the authentication issue. In addition, HTTPS will be used to encrypt the communication between your end-users and the system. Authorization, on the other hand, is the process by which the system verifies that a user (or external system) has the permission to execute a particular function within the system. This may be addressed by implementing a role-based security model.
Is this enough? Well… that all depends on what kind of system you need and what kind of legal implications apply (such as HIPAA).
Security must be addressed in each of the following phases of the software development lifecycle.
Requirements
During requirements gathering and scope definition, one must understand what the security requirements are. Don’t just ask for them, but lead with questions and what-if scenarios.
Architecture and Design
When defining your architecture, consider the different components that will be needed to provide adequate security. Will security be encapsulated as part of each module, or will the modules in the middle tiers assume that a different tier has taken care of security?
Development
Have you identified secure coding practices as part of your coding standards such as minimizing the attack surface and establishing security defaults?
Testing
Have you planned for security testing that addresses common attacks and checks for vulnerabilities?
Deployment
Is your connection from application to database running with more privileges than necessary? Is the right security infrastructure in place, including firewalls and intrusion detection systems?
As you’re evaluating your current system or building the next generation of products, please take a moment to think about security beyond authentication and authorization. I’m not suggesting that every system needs to be secured like Fort Knox, but rather that you consciously think about the appropriate level of security for your system and document it as part of your system architecture and development process.
There are many references out there to help you improve software security. I would recommend the Open Web Application Security Project (OWASP) to start.
