Web application development is an ever-changing industry, and its best practices continue to be defined. Currently, most organizations follow a set of standard steps that outlines each phase of software creation. These phases are collectively referred to as the software development life cycle or SDLC. The lack of security in web application development has long been recognized as a serious issue and vital missing piece of the process. In the past, security assurance was relegated to the QA phase of development—if it was addressed at all. However, forward-thinking organizations are now adding security activities to every phase of the SDLC, allowing them to discover flaws sooner and significantly increase the security of any applications. The typical security activities in each phase of the SDLC are below:
Training: Everyone involved in web application development is provided basic security training. Scalability and repeatability are critical aspects of effective security training programs.
Requirements: As software requirements are defined, the corresponding security requirements should also be defined. For example, if sensitive customer data is to be collected and stored, there should be established requirements for how the data should be encrypted, both in transit and at rest.
Design: Once the application requirements are captured, architecture is designed to incorporate the software requirements. At this stage of development, the necessary security controls should also be identified and included as part of the application.
Implementation: After requirements have been determined and an architectural design is established, software development begins. Ideally, developers should receive security feedback while they are coding. This feedback must begin as early and as often as possible. Because this phase is often the most labor-intensive, automated security assessments should be conducted continuously, enabling a developer to address issues in near real time.
Quality Assurance: New application code should be tested before it goes into a production environment to ensure that it behaves as expected. While some organizations only test applications to ensure that the functional requirements are met, others are also beginning to test whether the application adheres to established security requirements.
Production: In the deployment phase, continual testing is vital for maintaining security assurance and protecting against common application vulnerabilities. In addition, updates to applications already in production can introduce new flaws. Therefore, all code updates should be subjected to source, QA, and production testing.