Passive testing resulted in several of my internet-facing projects receiving little regard to security other than the traditional access control matrix. Upon deciding to take a more assertive approach to security testing I found flaws in our testing, development, design and requirements capture processes and began to challenge the situation. I found allies in the security team who admitted they could only cope with filtering out some attacks at the network perimeter. If attacks got inside the perimeter the battle was probably lost. The realization that application security was substantially different to transport layer security led to a firm belief that project teams need to become more self-reliant in building and maintaining security throughout the entire software lifecycle.
With no budget or management approval I set about learning and applying application security to every project assigned to me. It wasn’t easy, but started getting positive results. I set my own scope and wrote a set of app-sec testing procedures, then a set of development guidelines and distributed them to everyone involved in project development or maintenance. Gradually the ideas gained acceptance and eventually received full management backing. This is the story of how that came about.
- Gain an insight to application security.
- Understand the weaknesses of conventional security solutions.
- Begin to include practical security in your projects