Security Touchpoints

Posted on November 10, 2012. Filed under: java/j2EE |


Problem to Solve: Reduce Defects. Solution: Security Touchpoints

Defects can be sorted into two types – Bugs and flaws.

  1. Bugs are easy to discover and fix implementation issues. For example, XSS and SQL injection are bugs that caused by lack of proper data validation.
  2. Flaws are deeper level problems associated with architecture or design of the Systems. Example flaws includes issues like insufficient authentication, incorrect error handling, and insecure business requirements.

Defects can also be sorted into three types – design, coding, and integration errors.

  1. Design errors are due to insecure architecture or requirements. For example, the business requirements decide to send permanant username/password to the user’s email after the registration.
  2. Integration errors came from improper configuration management. For example, during database ETL (Extract-Transfer-Load) process, users’ credential is transferred in a clear text file.
  3. Implementation errors includes improper API usage or simple coding errors. For example, forgetting to close database connection may lead to memory leakage and make the web application vulnerable to DDoS attacks.

The Security Touchpoints are best practices that analyze the artifacts produced at the various stages of the software development life cycle (SDLC) in order to reduce the defects. The following is the list of security touchpoints In order of effectiveness and importance:

  • Code Review
  • Architectural risk analysis
  • Penetration testing
  • Risk-based security tests
  • Abuse cases
  • Security requirements
  • Security operations

Code review is the process of finding bugs and flaws by review the source code. Since all software development produce source code, code review is the number one security touch point.

Architectural risk analysis is the process of finding flaws in architecture and design documentation. The result of risk analysis can be used to direct the execution of other security touchpoints. For example, we can prioritize code review, penetration tests and security tests based on the risk areas highlighted by the risk analysis, and focus on the highest risk profiles first.

Penetration testing is a black box test conducted at the later stage of software development. It is testing on the living system with all components integrated in production or lab environment.

Security tests, on the other hand, are running against the the components or units which are still under development.

Security requirements specify both functional and nonfunctional requirements at early stage of the software development lifecycle.

Security operations referred to the monitoring efforts the operation team conducted on the production system, and the feedback of security attacks information from production.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: