Application Security

July 15th, 2008

There are multiple aspects of security that must be considered when building a web site. These include, as a minimum: application, database and infrastructure security. Today, I’m going to give some of my thoughts on application level security and will address database and infrastructure related issues at another time, particularly since some of the decisions made regarding application security will affect the database and infrastructure.

Once again, while everyone realizes that security is a large and important issue, security related issues are either forgotten, ignored or intentionally overlooked far too often during the early stages of site development when enthusiasm, an endless stream of ideas and a desire to achieve a working site quickly consume the project team. However, when security issues eventually resurface, the impact on the schedule and/or site functionality to incorporate them can be significant and, unfortunately, compromises are usually made. For example, when application level security is an afterthought and significant development has been completed it is considerably more difficult and time consuming to retrofit security functionality, with the increased potential of missing something important, than if security was considered and incorporated into the original design.

At the application level, the two major areas of security that need to be considered are site administration and end-user security.

Site administration relates to those functions on the site that are used and maintained by company employees and vendors to ensure that the site is up-to-date, functions properly and can provide the reporting and statistics needed to effectively and efficiently manage the business. It also dovetails into the auditing functionality that I have previously discussed. In many cases you want to segregate site admin functions into some form of groups that roughly correspond to the functional organization of the company so that all admin users do not have the power to perform all functions. This compartmentalization is a key step in providing security for your site from unintentional mistakes or minimizing impact of malicious acts by disgruntled employees. It also requires a discussion with key individuals who will be charged with administering the site and a thorough explanation of what functionality will actually be included for them to do their jobs properly. Included when architecting and building this functionality is the ability to create, change and inactivate accounts and assign users to functional groups, some scheme of username and password creation, which includes how strong the passwords are going to be, and a policy of how often passwords are going to be required to be changed.

The level and type of end-user security will vary based upon the type of site that is being constructed, ranging from very stringent and high-level security for a financial related site, which obtains and/or provides personal information to possibly no security at all for a site that merely delivers free content. Security considerations for end-user security include things such as incorporating SSL and cookies, a username creation scheme, strength of passwords, ability for users to change passwords and retrieve them if they are forgotten, a mechanism for session time out and account lock out when a certain number of unsuccessful account accesses are made.

There is no argument that security considerations are important to the design and development of any site. However, it is important that security is considered at the proper phase of the project so that security policies can be well thought out and properly incorporated into the application.