Over the year I participate in the writing of many Request for Proposals (RFPs) and, with Relief Applications, responded to quite a lot too. One thing that has always struck me was the blatant lack of security requirements. At best you will read a sentence like “Support for UN information security requirements for confidential information on the public internet”; which is important, to say the least, but far from being enough when describing a key component of any system: SECURITY.
When trying to find a firm to develop your
application, adding security requirements is not as hard at it seems as I
described in a previous post: http://blog.reliefapps.org/data-safety-and-security-10-key-points-for-your-request-for-proposals/
But checking an already existing system is much harder; and raises many questions; what will be the cost? Who should do it? What exactly should I ask for? In a quick search on Google for “web security system audit”, you will find everything from testing your organisation security procedures to SQL injection. It might take some energy and knowledge to find what you need for your software but there is an easy solution; use the widely recognised (the industry standard) OWASP security checklist.
The OWASP security checklist
However, there is a good and easy way: using the OWASP security checklist. OW.. what?
OWASP stands for The Open Web Application Security Project. It is a not-for-profit group that helps organizations develop, purchase, and maintain software applications that can be trusted. You can find their website here: https://www.owasp.org (spoiler alert: massively open-source designed website 😉
The OWASP checklist will look at Information Gathering, Configuration and Deployment, Testing, Identity Management, Authentication, Session Management, Business Logic, Cryptography, Communication Security, and many more aspects. .
OWASP is the standard bearer for security checklists; the majority of others you will find online are derivatives of the OWASP checklist.
The checklist is designed to be comprehensive and it is; with 214 questions, you will not miss the point: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_Checklist
How do I use it?
214 questions is a lot, and not every system needs to go through all of them; it may be much quicker to cherry pick a few points from the list under the main categories. For example: “23. Require authentication for all pages and resources, except those specifically intended to be public” obvious right, but you would be surprised how often this is not adhered to.
You will find many simplified OWASP checklists online, just pick one or ask any IT expert and run with it.
How often should this be used?
Security is a very versatile beast. Any new release, update, upgrade, modification comes with a security risk. We should practise a good balance between security and usability; a good practise is to run Ad-hoc tests on new application deployments and/or major systems changes.
Who should do it?
Any good IT firm will be able to run basic security checks. You have a plethora of firms specialised in web security; honestly speaking any good IT firm can do the job, for often a much more decent price.
How long should it take?
It really depends on your system. A basic security check can take 1 day on a simple website and few weeks on a massive portal. For most web applications I know in the humanitarian sector somewhere in the region of 10 days of work should be sufficient.
The most important, the fixing. Security checklists (including the OWASP) just provide an overview of your code, infrastructure and what are the potential security weakness. It comes without saying that you should fix these vulnerabilities; and it might be costly.
Just remember, this cost is very likely to be nothing compared to the impact of the security breach!