During a recent visit to a client site, I took part in a discussion where the Development Department and the Security Department were arguing over which group was responsible for the security of web applications. Security felt it was the responsibility of the developers, and the developers felt it was the responsibility of security. I commonly see this debate taking place inside organizations, so I wanted to spend this blog post discussing where that responsibility lies.
When this discussion comes up, the first thing that needs to be defined is what exactly we are talking about when we say “the security of web applications”. For this blog post, we are going to limit the scope of Web Application Security to “ensuring the web application is securely coded to avoid security vulnerabilities and defects”. However, it is important to remember that developing and maintaining a secure web application does not stop at making sure the application is properly coded. A mature Web Application Security program incorporates security into their software development life cycle. This includes activities such as:
- Application threat modeling being performed when generating requirements for applications
- Security requirements properly gathered
- Reviewing the architecture of the application
- Regularly assessing application until they are removed from production
It’s both (of course), but what does that mean?
The simple answer to this often debated question is both development and security are responsible for ensuring the security of web applications and they need to work together; neither group can achieve their goals alone. However, each group has their own separate set of responsibilities when it comes to developing secure web applications.
As you can see, ensuring web applications are secure is not just the responsibility of one group. Instead, it takes a team effort to accomplish this important goal. In closing, I’d like to also state that many security organizations do not have expertise in house to provide training, develop secure coding standards, or properly assess web applications, and instead rely on third parties such as SecureState to provide these services.
So what is your take on this debate? Who do you think is responsible for security in web applications? Join the discussion in the comments section of this post!