• Home
• Services
• Methodology
• About Watson Hall
• Security resources
• Contact

Information systems security is a very important consideration during software application development process. It is just as important as the delivery of the functional requirement. By examining the issues early in the project's initiation phase the environment, operating system, database design and system architecture can be modelled with security built in, ensuring compliance with appropriate legislation, regulations and standards.

Watson Hall provides independent security analyst services for organisations developing, operating or purchasing web applications.

Example web development security projects

Information security

Web sites and web applications typically interact with other remote services, back-office systems and distributed systems which can be hosted in a variety of locations - locally, facilities at another site or managed by third parties. The complex web of inter-related systems increases the potential for security vulnerabilities to lie undiscovered, making it difficult to ensure the release of a stable, efficient, scalable, secure and compliant system.

Information systems and communications security should never be viewed as a role on its own. Security considerations must be considered throughout the development life cycle, be business-focused and based on an agreed, and supported, security policy. Separating security from development will lead to increased costs, lower availability and poorer integrity. Data protection to maintain confidentiality, integrity of the information and availability of the service need to be considered at all stages of the project's life cycle.

Compliance

The compliance requirements for your particular organisation need to be examined throughout the development of procedures, policies, standards and guidelines which will drive the specification, development, testing, deployment and operation of the web software.

Compliance should occur through good security, not as part an audit. Information security must be an integral part of the way businesses operate with compliance being the result, not the aim. By building security into the software development process, adherence to legislation and other codes can be achieved at lower cost.

Architecture

The application's architecture should be driven from an agreed security policy for the web application or website. All inter-connected systems must be identified, specified and the dependencies documented. Data should be classified, personal and sensitive data identified and encryption policies considered.

Functional design analysis and planning and the creation of system design specifications, including the security framework, will provide an understanding of the security issues and methods of negating or minimising security risks. Consideration of the development, test and production environments may highlight other security issues that need to be addressed such as access to servers, data replication, configuration management, operations and maintenance.

Development

Are you using a web application development life cycle that encompasses security best practice? At what point are you taking security issues on board? Who is responsible for security? Who should be involved?

Development is difficult enough without there being a good overview of the processes and procedures which are required for continue project success. It is unfair on development and testing teams to take sole responsibility for the security of your website, e-commerce project or payment system. The issues are so much wider, and without carefully addressing all the necessary facets, supposedly successful projects can still lead to increased risks and costs due to security issues.

The key themes of data validation, authorisation, authentication, session handling and attack methodologies (such as injection, phishing, denial of service, malware) must be understood to be able to use a secure coding methodology. The techniques for handling errors must be consistent and safe. Logging must be built in and mechanisms for auditing considered.

Testing

Do the application testers build security testing into their test plans? They may not know the types of issues to target and address. Much testing is targeted at platform suitability, accessibility, usability and resilience. All of these can be undermined if security loopholes exist. Testing plans need to be developed that include security testing as well as functionality testing. This often requires a mindset change for conventional testers but it can be part of a wider security-awareness programme for all staff.

Deployment

Testing deployment and documenting changes that were required for the application are a fundamental part of the development life cycle. Some of the fastest learning can be achieved by development staff when they have to deploy an application with their systems colleagues. A detailed knowledge of the web application's methods, security and technologies is required to ensure the deployment process is documented and tested prior to deployment to live. All issues that occur need to be fed back through the deployment documentation to ensure that any configuration changes do not conflict with the security mechanisms.

Operations

How has the development process considered the requirements for operations post launch? Have the required auditing facilities been defined and built in? In the event of a security breach, can the audit trail integrity be assured? What mechanisms would the application use the assist detection and prevention during operating?

Other web security analysis services from Watson Hall

Web application security best practice, e-commerce security, and security due diligence.

Act now

Building security into all stages of website and web application software development will increase confidence, reduce risk and build skills. Watson Hall offers independent security analysis services from a central London base. Contact Watson Hall to see how we can assist your development, deployment and running of secure web applications and websites.