Internet-connected applications, or web apps, power all aspects of the modern business: E-commerce platform for customers. Client portal enabling self-service. Trading platform for remote traders. What all these have in common is that the businesses which implement them depend on them 24/7.
The Open Web Application Security Project (OWASP) maintains a list of the top ten security vulnerabilities that attackers are actually using in the wild. These account for the vast majority of all web app-based attacks. A little planning for secure design will go a long way.
The best way to secure your web applications is to build them with security in mind. Practicing security-by-design means security goes from an afterthought to an initial requirement during application planning and development. BrothersKeep can help throughout the design, development and deployment lifecycle.
Review of the agreement and application specifications given to the development team. Important things to keep in mind during this phase is to include general security requirements regarding publicly known vulnerabilities, clauses related to the enforcement of industry best practices as well as the ongoing mitigation of security issues.
Security review of the design specification and architecture produced by the development team. The specification often details not only the overall vision for the application architecture, but also which components will be used, as well as the technical solutions to specific design problems. Apart from performing a threat modelling exercise to identify security-critical aspects of the architecture, this is a good point in time to highlight weaknesses in technical solutions to manage components such as document upload and password management.
Scoping of and mitigation of findings in security testing. When performing a security test to verify a satisfactory delivery, proper scoping is essential as well as the cost-effective mitigation of any findings. Clauses regarding issue mitigation from the original agreement can become important at this stage.
dig deeper
The OWASP Application Security Verification Standard 4.0 (ASVS) is a thorough assessment framework, which can be used to validate the security of web applications. According to OWASP, the standard’s purpose “is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification.” The ASVS consists of a comprehensive set of controls covering all aspects of the secure application lifecycle, going significantly deeper than the OWASP Top 10.
The ASVS defines three security verification levels, from L1 for low assurance levels, L2 for apps containing sensitive data – OWASP recommends this level for most apps – to L3, usually reserved for apps requiring the highest level of trust (PHI, sensitive PII etc.)
Our security experts can test the security of your web applications according to any of the ASVS levels, and provide you with an easy to understand, immediately actionable pentest report to help mitigate any findings.
