If an application security professional is
dealing with 100’s of application, and want to integrate ESAPI in their
Enterprise wise SDLC then I must say it will be one of the challenging and
interesting tasks in application security. Integrating ESAPI needs a very
systematic approach targeting to Development Community. For enterprise wise
integration, I have chosen following approach keeping two Goals in my mind:
- Transition must be simple, smooth and accurate.
- Vulnerability occurrence must be reduced in future developments as well.
Here comes:
Preparation
Phase:
- PP1: Understand ESAPI first, you can choose sample applications which have higher number of vulnerabilities; it will help you to understand in depth with less effort. Alternatively, SwingSet application is a good resource for this purpose.
- PP2: Write secure coding guidelines for your organization’s development community and explain each recommendation code sample using ESAPI.
- PP3: Write a Mapping document for each application that will clearly tell in detail the use of ESAPI methods.
Implementation
Phase:
- IP1: Organize Application security training-secure coding for development community, demonstrate each vulnerability using vulnerable applications and their code, and then demonstrate the same application/code that is patched using ESAPI.
- IP2: Demonstrate the application mapping document of that application which you have prepared in PP3.
- IP3: Publish the secure coding guidelines for the development community and encourage developers to use it.
Audit
Phase:
- AP1: Check the usage of correct API in any application using your mapping document of that application (PP3 can be used as audit checklist).
- AP2: Help development community in using correct ESAPI methods in correct places.
One last thing, those are equipped with Fortify,
effort will be reduced significantly in steps PP1, PP3, AP1 AND AP2.
All the best!!!
No comments:
Post a Comment