Security Strategies in Web Applications Essay Example for Free

Security Strategies in Web Applications EssayWeb application design and cryptanalysis defects are the main reasons to create a secure coding policy and guidelines. The policy/guidelines are to go forth awareness and ensure earnest when developing code. Techniques to secure code checkGenerally, IT analyst can ramify the secure code review process into two different techniques 1. Automated tool based/ black-market Box In this approach, the secure code review is done use different open blood line/commercial tools. Mostly developers use them maculation they are coding, but a certification analyst whitethorn in addition take help of them. Tools are very useful while doing code review when we employ the secure SDLC process in the organization and provide the tool to developers themselves to do a self-code review while they are coding. Also, the tools are useful in analyzing large codebase (millions of lines). They can quickly identify potential hazardous pieces of code in the code base, which whitethorn be analyzed by the developer or a security analyst (Infosec). 2. Manual/ White Box In this technique, a thorough code review is performed everywhere the whole code, which may become a very tedious and tiresome process.But in this process, limpid flaws may be identified which may not be possible using automated tools, much(prenominal) as business logic problems. Automated tools are mostly capable of finding skilful flaws such as injection attacks but may miss flaws like authorization problems. In this process, instead of passing line by line through whole code base, we can concentrate on potential problems in the code. Those potential vulnerabilities can be given a high priority. For example, in C/C++, if we try to find any copying function in the code and check whether its using functions such as, strcpy() for performing copy function. As we know, strcpy() is known to be vulnerable to buffer overflow attacks. We may also want to check if any customized encryption is being utilise in the application, which automated tools may miss as they can identify standard algorithms only(Infosec). Introducing security into NISTs Five SDLC Phases inductance Phase Consists of all activities used to identify the different requirements from all stakeholders. This includes defining stakeholders, conducting stakeholder interviews and possibly some prefatory prototyping. It is also important to identify security requirements (Harwood, 2011). Development Acquisition Phase Transition functional and technical requirements into detailed plans for an actual information system. Results from interviews, use cases, and mock ups are developed into sequence diagrams, activity diagrams, call down diagrams, and other artifacts that can be interpreted by software developers. User interfaces are also be in greater detail (Harwood, 2011). Implementation Assessment Phase Actual coding of an information system. every(prenominal) of the analysis an d design artifacts previously created are transformed into application code by developers/programmers. This phase also includes testing and debugging (Harwood, 2011). Operations Maintenance Phase Encompasses all activities required to keep the system working as intended (monitoring, patch management, application fault remediation and audits). Disposition Phase Ensures that information is retained, as necessary, to align to current legal requirements and to accommodate future technology changes that may render the retrieval method ancient (Harwood, 2011). SummarizationThe Software Development Life Cycle (SDLC) is a process to help ensure the fortunate development, operation and retirement of information systems. The SDLC has numerous methodologies including Waterfall, Fountain, Spiral, Build and Fix, Rapid Prototyping, Incremental, and Synchronization and Stabilize. While they share prevalent processes such as Design, Implementation, and testing, one of the most promising metho dologies is Waterfall. It has several advantages It is one of the most widely used and accepted methodologies and nearly all other methodologies derive from Waterfall. Its linear approach makes it easy to demonstrate where security fits into each(prenominal) phase. A crucial part of the SDLC is the source code review.The purpose of source code review is to discuss, exchange information, and explain the code. Explaining the code will help identify problems and may provide new solutions in the troubleshooting process. Effective code reviews can includeautomated reviews. It is vital to implement security controls at each phase of the SDLC (Harwood, 2011). Best practices should include policies and guidelines that explain that software should be free from exploitable code vulnerabilities to meet the direct of confidence. The code should provide security functionality as intended. Review and maintain Best Practices and guidelines annually. Including security early in the information sy stem development life cycle (SDLC) will usually result in less(prenominal) expensive and more effective security than adding it to an operational system (Harwood, 2011).Works CitedHarwood, M. (2011). In Security Strategies in Web Applications and Social Networking. Burlington Jones Bartlett Learning, LLC, an Ascend Learning Company. Infosec. (n.d.). Retrieved from Infosec http//resources.infosecinstitute.com/secure-code-review-practical-approach/