Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Caleb Sima, founder and chief technology officer at SPI Dynamics, warns that web application security should be viewed as a process and incorporated throughout the development lifecycle.

Information security is an ever-evolving process. In the past, the majority of security breaches occurred at the network layer of corporate systems. However, today many companies are unaware that their corporate assets are exposed even though they have implemented network firewalls and intrusion detection systems.

In part, this is due to organisations not yet incorporating web application security into their development processes. A company's web applications can be the most important, and most vulnerable, entry point into the organisation.

Hackers are manipulating web applications inside the corporate firewall, enabling them to access and sabotage corporate and customer data. Given even a tiny hole in web application code, an experienced intruder armed with only a web browser and a little determination can break into many commercial websites. While corporations rush to develop security policies and implement even a basic security foundation, the professional hacker continues to find new ways to attack.

The evidence is significant. An estimated two-thirds of all security breaches today are due to vulnerabilities within the web application layer. So why is this problem so widespread, and what can be done about it?

The answer lies in looking at security not just from an operations perspective, but as an integral part of the entire development lifecycle. Security must be built into the web application development process itself.

Over the past decade, a significant amount of human capital has been spent touting the benefits of structured development processes. It has become common industry understanding that strong, repeatable development processes produce better quality code in less time than unstructured processes.

This theory argues that development efficiency and effectiveness is gained by perfecting a process through practice. However, the old adage 'practice makes perfect' is true only if a person practises correctly. A structured, repeatable development process will produce a superior product only if it systematically covers all aspects of application development.

Even in mature development organisations, one of the most commonly overlooked areas of the application development process is security. This oversight is primarily for three reasons.

First, the methodology behind securing applications is relatively new and unknown in the market. Security has traditionally been focused on the network and server layers of an application's architecture. However, even architectures that have secure network and server layers are exposed to attacks if the application layer is insecure due to security defects within the code.

Secondly, many development shops neglect to configure the production environment properly, which leaves web applications vulnerable.

Finally, developing secure web applications is usually an afterthought for most organisations. Since security is not directly related to functional requirements, users do not focus on it and developers generally fail to put in the necessary time to ensure that web applications are secure. As a result, many web applications may be functionally rich, but still vulnerable to unwanted intrusions and attacks at the application layer.

Additionally, many development organisations view security as an event to be completed only once during the development process. However, changes to web applications are made on a daily and sometimes hourly basis, thus creating risks; what was once secure is now vulnerable. If security is viewed as a single event, a vulnerability that enters the system after the audit will go undetected.

Web application security should be viewed as a process and incorporated throughout the development lifecycle to ensure web applications are built securely. It should be incorporated into the practices of every team member associated with the development and operations of the web application. This includes defining security as part of the functional and technical requirements of an application.

Thinking of security as a process that should be addressed throughout the development lifecycle requires a dramatic realignment for many development organisations. While many firms claim that they view security as a process, in reality security is not usually given the due process it requires.

For security to be appropriately addressed as part of the development process, it needs to be consciously addressed throughout the application lifecycle.

Whether a security breach is made public or confined internally, the fact that a hacker has accessed sensitive data should be a huge concern to your company, your shareholders and, most importantly, your customers.

Companies must view their web applications as a portal to corporate assets and implement the necessary security procedures to ensure that those assets are secure from malicious attacks.