Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers. But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer.
Recent research findings indicate that the application layer is one of the highest-risk areas and where the most potential damage can occur, either through insider targets or lack of protection. As a result, confidential company information can be exposed, resulting in harm to a company, its customers and its reputation. While many variables affect Web application security, improving security in a few key areas can help eliminate vulnerabilities.
It’s critical that security be included in the initial Web design and not retrofitted after the application is developed. While some experts argue over where and when security integration and testing should be applied in the development life cycle, no one would argue that it has become an essential ingredient.
The software industry is making headway in this area, with some providers offering incentives to development teams to integrate security during the application development process. Integrating security into the application development life cycle is not an all-or-nothing decision, but rather a process of negotiation within policy, risk and development requirements. Engaging security teams — in-house or outsourced — during the definition stage of application development determines the security areas necessary to satisfy policy and risk tolerance in the context of the organization.
http://www.computerworld.com/securitytopics/security/story/0,10801,106805,00.html