…the project of web application security will never be truly finished!
The sheer range of solutions when it comes to web application security can be intimidating for CISOs, Development Managers or basically anyone dealing with vulnerable web applications.
Since many companies face the decision of implementing a web application security tool, I put together a guide for you on how to tackle your „web app security“ project.
Some parts of this article might be more helpful to you than others, depending on your current security status and how much research you’ve already done. Let’s get to it!
Define the problem
As with many business issues, your first step is to define the pain point that you’re having right now.
What harms your business? What do you want to improve? What could make your employees more productive?
When it comes to web application security there might be more than one factor that can be improved, so you will have to look at the status quo of your web application security and do an audit of every measure, tool or process that’s already in place.
To find out what aspects the perfect solution should cover you will need to ask the following questions:
- What are your most critical assets? What needs to be secured?
- What kind of application do you operate? Do you want to scan an API, Single Page Application or a website?
- Are you developing your own application or is someone developing for you?
- Which methods does your team use (e.g. Scrum etc.)?
- How does you CI/CD pipeline look like and where can a tool be integrated?
The result of this part should be a project plan for your web application security integration that contains all necessary steps towards entirely securing your business.
After that, you should check your current processes again to find out what’s already in place and what items of your checklist you can tick off to begin with.
Maybe you have a tool integrated that just doesn’t cut it or you are struggling with many different tools to secure your application. Have a look at your current testing process. Do you do manual penetration tests and if yes, how many pentest are you doing per year? Whether or not these test are made in-house or by an external agency, there is a major savings potential here!
During this process, you might already be solving a few of the problems that you’re facing or you just added some more to your project plan. Once you compared your actual security measures to the target state, it’s time to find the solution, that closes the gap.
Find your solution
Time to find the perfect solution for you! After making a list of all solutions, that are relevant, you will face these questions to narrow it down to your tool of choice:
- How many scans are you planning to make?
- How many projects do you have?
- How many software developers are in your team?
- Do you want to do invasive or non-invasive scans?
- Do you need a tailored solution or is a standardized tool enough for you?
- Do you want to scan your application continuously (e.g. every day, every week, after every deployment)?
- Do you want to automate your web application security (Hint: You should!)
Ideally, your solution evaluation process also contains a phase in which you evaluate which tasks may be eliminated through the tool (or which new tasks are created). This should factor in your ROI calculation and the business case for a new tool as time savings. What is more, you can use this list of tasks again during the implementation phase — to make sure you actually realize the time savings after the implementation. If you need more input on the business case, read our blog about the ROI of web application security.
Additionally, you should check out this article, for additional tipps on how to choose the right software for you!
Get into the tool
Next up you should plan the implementation of the tool you chose. Appoint a project leader (if you haven’t done that already) that supervises the process and makes sure the plan is documented and monitored. I recommend someone who is going to be involved with the issue for a longer period since the project of web application security will never be truly finished.
Now you will see whether you’ve done your audit and tool research properly. For some tools the implementation will be easier than for others. Maybe there is additional support from your provider or it just integrates perfectly into the tools you already use (e.g. creates tasks in JIRA, gives you slack notifications or sends out e-mail reports).
The implementation should be adjusted to how often and at what times you are deploying, so that it doesn’t harness your development processes, but actually enhances the quality of your developers’ code. Maybe, while getting to know the tool, you can find parts where you can automate processes and have your security status checked after every deployment to your test system.
In general, you should test the tool as much as you can and try every function available! Maybe you can find parts where you can improve your current processes or can get back to your provider to have them adjust the solution to your needs. In the best case, you chose a solution with a free trial, where you can try out as much as you can without any strings attached.
The final step at this stage is to review the initial business case. Now you know the tool by heart, can the numbers you defined before actually be achieved? Or are there savings areas that you didn’t take into account before?
Carry out the work
As described in the solution research phase, you have your list of eliminated tasks at hand by now. Your next step is to create an action plan on what needs to be done to realize the defined positive ROI as soon as possible.
Here are some questions to start off the action plan:
- What new tasks does the solution create?
Define, who will do what job that needs to be done after vulnerabilities are found.
- What tasks will be eliminated?
Maybe you have an internal penetration tester than can focus more time on teaching secure coding practices to fellow developers instead of doing manual testing from now on.
- Who manages the application?
You need a Key User that knows the application in and out and can be a guide to all other users. The Key User should also delegate new tasks arising, that aren’t defined yet.
- Who does the remediation?
You could have a few developers remediating certain types of vulnerabilities to make them become experts on these vulnerabilities or you could have every developer correcting their own code to make them better at secure programming.
- How will the knowledge be transferred into future projects?
The project leader or key user should manage a knowledge base, that your developers can use in their daily work. In the best case, such information is already provided with the tool.
- What if a breach still happens?
How will you quickly solve the problem and be open to your users and the public about it? How will you get back to your feet and regain your customers’ trust? Read this article for answers to these questions!
My main suggestion for the work with a web application security solution: Learn from it! Most tools provide valuable feedback for developers, that they can use to get better at secure coding practices for their future projects! Maybe you can even get a workshop for these practices from your solution provider!
You should also use your new investment to tell your users about it! Make your enhanced security a part of your USP and people will have more trust in your application than ever!
Monitor the outcome
After your new tool is implemented and everybody is working towards a more secure web application the project should still not be finished. The project leader should keep his role and monitor whether or not the integration was successful. This also includes checking against the earlier defined business case and estimated savings.
The monitoring of your web application security status could be something that is provided by the tool. Some tools have a well-designed dashboard that gives you aggregated information about the vulnerabilities found. You can maybe opt-in for an e-mail report that gets sent to you after every scan of your application. This information should be used to find out how your security status and development team performance was enhanced by the new solution.
A few indicators of that enhancement could be changes in the following:
- Average criticality of your vulnerabilities
- Average time to fix a vulnerability
- Total time spent on security issues within your company
- Number of new vulnerabilities arising (per week, per deployment etc.)
Or generally speaking: How did your development improve their secure coding practices?
You will see that the implementation of an (automated) web application security tool, can give you a competitive advantage, if it is well carried out.
At first sight, the integration of a sufficient web application security solution might look overwhelming and can lead to a lot of confusion. Splitting the different parts of the process up and planning it out can make things more efficient and may lead you to finding the solution that’s best for your company!
You haven’t thought about your vulnerability assessment at all?!
Do a quick scan of your website to start it off!