Putting Web Application Developers In Charge Of Security

Imagine a Web application developer charged with shepherding his enterprise app from development to operation -- including patching. This designated advocate would see the application through its life cycle, which theoretically should yield more secure Web applications, security experts say.

"Having someone spearhead this from development to vulnerability [discovery] would help him see what happens when an application isn't deployed securely. Today [most developers] don't see the process through to production. This way they'd have more of a stake in it" and its security, says Georg Hess, a member of OWASP and CEO of Art Of Defence.

Hess says there needs to be a new Web security role that blends IT, networking, and developer know-how, especially given the long lead times it takes organizations to fix Web app vulnerabilities -- up to a month in some cases. He says this new role would be called a Web app security manager or officer, and there could be one for each application. It wouldn't be a full-time, dedicated position, but rather an additional job role for the application developer, he says.

Security experts such as Hess say application security needs an updated organizational chart to better address security flaws during development and when it's time to patch, as well as to ensure that security gets baked into apps. A newly published report from Forrester Research calls for new, additional roles to be added to the enterprise security group, including a security engineering person who heads up how security is implemented and integrated with the overall IT infrastructure.

"Over the past few years, as the security organization has had to grapple with an increasingly complex threat landscape and a much more visible role in the organization, the expectations of the business have also significantly increased. The business expects that security will do all this and take on additional responsibilities while keeping its headcount virtually static," the Forrester report says. "As a result, there is often a disconnect between what a security organization can realistically deliver and what the business perceives it can deliver. Security organizations today must be agile and high-performing -- capable of addressing a multitude of responsibilities and needs simultaneously."

Meanwhile, Joshua Corman, research director for the enterprise security practice at The 451 Group, says there are some benefits of having the actual developer of a Web app head up its security. As an insider, he or she would have the ear of fellow developers, for instance, Corman says. "The crucial advantage is that the fellow developer would be known to the community, understands it, and would be less likely to be rejected" for his or her security decisions, he says. "Developers would likely listen more to their own."

But the trade-off is that a developer would likely have security as his or her secondary expertise. "You don't want someone who knows just enough to be dangerous," Corman says. But if the developer can connect with security experts and gain the necessary knowledge, he or she could become a handy bridge between the development and security groups, he says.

Art of Defence's Hess says the advantage of the Web app security manager is that he or she knows the inner workings of the application and ideally would configure security policies for the app, as well. "This would be a Web application person who would learn security," Hess says. "There are some Web application firewall experts [in organizations] that don't understand the apps."

This app advocate would advise the network team that runs the WAF, too, he says. "You could train this person to tell those in charge of the WAF how to configure Web application protection for his application," for example, Hess says.

Today there's rarely a go-to person for an application's security issues, he says. "It's important that he can communicate the security exposure of his application to the security team" or manage its protection, Hess says.

Many of the day-to-day security staff are more familiar with network layer security than Web application vulnerabilities, he says. This new job function for developers would blend and unite often-competitive IT, networking, and application development groups, something that's not typically done today in IT and security organizations.

But Hess admits adding this new job function depends on the size of the organization. "If you want to have one person in this role, it could be an hour per week or several hours per week" where he or she is responsible for the Web app's security issues, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.