 | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Iordanus.com Consulting - Enterprise resource planning and e-business consultancy services. | http://www.iordanus.com |
iordanus.com is a small group of Application Consultants and developers with a vast experience in SAP, Enterprise Appplication Integration and application development in various technologies such as SAP ABAP, ABAP HR, Microsoft .NET, Visual Basic and much more. Once application vulnerabilities have been categorized and prioritized, the next step in web application development is to estimate how long it will take to implement the fixes. If you're not familiar with web application development and revision cycles, it's a good idea to bring in your developers for this discussion. Don't get too granular here. The idea is to get an idea of how long the process will take, and get the remediation work underway based on the most time-consuming and critical application vulnerabilities first. The time, or difficulty estimates, can be as simple as easy, medium, and hard. And remediation will begin not only with the application vulnerabilities that pose the greatest risk, but those that also will take the longest to time correct. For instance, get started on fixing complex application vulnerabilities that could take considerable time to fix first, and wait to work on the half-dozen medium defects that can be rectified in an afternoon. By following this process during web application development, you won't fall into the trap of having to extend development time, or delay an application rollout because it's taken longer than expected to fix all of the security-related flaws. This process also provides for excellent follow-up for auditors and developers during web application development: you now have an attainable road map to track. And this progression will reduce security holes while making sure development flows smoothly. It's worth pointing out that that any business-logic problems identified during the assessment need to be carefully considered during the prioritization stage of web application development. Many times, because you're dealing with logic - the way the application actually flows - you want to carefully consider how these application vulnerabilities are to be resolved. What may seem like a simple fix can turn out to be quite complicated. So you'll want to work closely with your developers, security teams, and Application Consultants to develop the best business-logic error correction routine possible, and an accurate estimate of how long it will take to remedy. One of the pitfalls you want to avoid when using Application Consultants during web application development, however, is failure to establish proper expectations. While many Application Consultants will provide a list of application vulnerabilities that need to be fixed, they often neglect to provide the information that organizations need on how to remedy the problem. It's important to establish the expectation with your experts, whether in-house or outsourced, to provide details on how to fix security defects. The challenge, however, without the proper detail, education, and guidance, is that the developers who created the vulnerable code during the web application development cycle may not know how to fix the problem. That's why having that application security consultant available to the developers, or one of your security team members, is critical to make sure they're going down the right path. In this way, your web application development timelines are met and security problems are fixed. |
|
