Application Security

An initial guide for developing secure applications

Why should you invest in developing secure applications? 

It would be great if we didn’t need to have antivirus, which consumes our processing power; if we didn’t need expensive firewalls to protect our infrastructure; and if we didn’t have to choose between security or better user experience. Everything would be much simpler.

However, our reality is different. For various reasons, it is common for someone who wants to harm or take advantage of our applications. Just as the motivations are diverse – be it selling information, gaining a reputation, or even personal revenge – so are the types of attacks.

Therefore, we need to invest in developing secure applications to protect our business against the myriad of everyday threats. Now, how to put the “S” in our development cycle?

Speaking of software design, we inherited the classic waterfall model. Therefore, there is a paradigm that secure development is nothing more than adding a security step to the project. Is this what it really means? No. 

We need to break with this paradigm that security is a project phase. After all, this way is not efficient, it generates rework and the risk remains high due to deadlines and the like. 

How to do secure development the right way? 

When we talk about secure development best practices, we’re talking about applying security across the entire development stream. Just like having quality software is not just the responsibility of an area – for example,  Q.A – Having secure software is the responsibility of everyone involved in the project.

Let’s see how the development cycle looks with security at each stage. The good news is that we are not alone on this journey, at each stage we will have references to delve into the subject.

Training

Without knowledge we have no change. Therefore, the first step is to promote training related to security issues for the project team. So, with knowledge, the secure development journey has its solid foundations. One of the successful strategies and therefore widely used for training is the implementation of the Security Champion program. Be sure to read more about the advantages of investing in appsec training.

Security Requirements

In the step of raising functional and non-functional application requirements, it is also necessary to obtain the security requirements, thus enriching the use cases with a security bias. A checklist that can help with security requirements is the ASVS (OWASP Application Security Verification Standard).

Secure Design

Design the application with secure architecture. Raise possible threats and implement appropriate protections. In this sense, the dynamics of threat analysis (Threat Modeling)is very interesting in the practice of bringing security to the left of the development cycle, the concept known as Shift-Left.

Secure Coding 

Write secure codes. But secure against what? It is important to know the vulnerabilities from which our applications can be attacked . The OWASP Top Ten is a list of the most critical vulnerabilities that happen in web applications, and knowing them we are able to protect ourselves from them. Another source to consider is the Cheats Sheets series which collects the best practices, including for some specific technologies. 

Security tests

The application can be tested manually. In this case, we are talking about code review, “Code Review”, and Pentest, the penetration test which can be White, Gray and Black Box. While Code Review analyzes the application’s source code to check best practices, Pentest validates the developed application in order to exploit any possible security holes. We can also do automated tests. Today we have static code analysis (SAST), dynamic application analysis (DAST) and we also classify another form of testing that is interactive, IAST.

See also:

Vulnerability management, Sast and Dast tools

Security tests applying pipeline 

More about AppSec

 Also to assist in the secure development journey, we can also count on the following references:

 Owasp Proactive Controls, from OWASP,has ten controls that we can implement to make our software product more secure against various vulnerabilities.

The ISO/IEC 27001provides a model to improve a Security Management System in its control A.14 it possesses standards to be implemented in the development cycle.

NIST, The National Institute of Standards and Technology presents a framework for mitigating cybersecurity risks. 

What can we conclude about securely developing applications?

It is important to develop with security so that our business is not harmed by the series of threats that make up our reality on the web today. AppSec is a culture, so it takes time to transform employees’ mindsets.

There is no magic solution, but for each stage in the development cycle, it is possible to bring the best security practices to deliver more robust applications that hinder intrusions and data leakage, as well as systemic unavailability. 

For over 13 years, Conviso has been helping companies implement secure development programs. For this, it relies on the AppSec Flow platform, which supports all phases of secure development. 

Nova call to action
About author

Articles

Technology professional for over 14 years. Technologist from ETE, bachelor in Systems Analysis and Information Technology from Fatec and post graduate, Master of Business Administration (MBA), in Management and Governance of Information Technology from FIAP. Throughout his career, he developed several systems, using different market technologies, both web and mobile. Participated in all cycles of the project to reformulate the 'App Mobile for Customers' of Liberty Seguros SA, winner in the Insurance Application category, of the "Efinance 2017 Award", one of the main technology awards for the finance area. He acts as an Information Security Analyst in the Consulting team bringing security in software development to clients.
Related posts
Application SecurityCode Fighters

A fantastic word from Graphql

As GraphQL is the star of this publication, we need to contextualize a little about it. is a…
Read more
Application SecurityMobile

Android pre-tests: Basic concepts and an introduction to the topic.

Introduction Make a good lab set up to start test the security of Android applications can be…
Read more
Application SecurityCode Fighters

Introduction to Insecure Deserialization in PHP

Since the beginning of the year in my trajectory in the Pentest as a Service (PTaaS) team at…
Read more

Deixe um comentário