The Largest Repository of ColdFusion Knowledge in The World for More Than 12 Years

ColdFusion on Ulitzer

Subscribe to ColdFusion on Ulitzer: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get ColdFusion on Ulitzer: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


CFDJ Authors: Jyoti Bansal, Michael Kopp, Tad Anderson, Bob Gourley, Jayaram Krishnaswamy

Related Topics: ColdFusion on Ulitzer, CMS Journal, Java Developer Magazine, Telecom Innovation, Haiti EarthQuake

Blog Feed Post

Top Web Application Security Questions to Ask Third Party Developers

When you are hiring a third party web developer you need to consider several things so I’ve attempted to prioritize the things you will want to ask in this list. These are in no particular order of importance. The answers I have provided are only examples, as acceptable answers will vary based on your web application and company needs.

What web development framework do you employ?

Whether its .NET ColdFusion or some Java framework, the answer to that is going to depend on a few factors. First, are you hosting it or them? If you’re hosting it, then you should choose a web developer that has a good track record with that framework and be sure that you have some technical people on staff that understands how to manage that framework. If they are hosting it, then ask to do some security testing on the infrastructure where your web application will live.

What secure development lifecycle (SDL) do you use?

The answer to this question is less important than the reaction you get. A lot of third party places employ no SDL because it can add to the cost of a project. If it costs extra then I would seek some other web developer, as chances are this developer doesn’t take web application security very seriously. If you must work with a specific developer then ask for the cost of fixing security vulnerabilities up front so there are no surprises later.

What is the process for reporting bugs (security and otherwise) to the web developer?

This is an important one to understand. If there is no ongoing support contract in place for the web application then most places will charge for bug fixes. This is understandable and reasonable, but it is a good idea to just understand this up front.

What type of regression testing do you employ with bug fixes?

A follow up to our process for reporting bugs question is regression testing – this is a biggie. This is the process of making sure their bug fixes didn’t break a bunch of other stuff. Sadly this doesn’t happen that often and a bug fix often introduces other problems, even additional security problems. Again this is a reaction question so make sure you gauge their response.

What type of security training do you provide to your developers?

This is a little bit of a self-serving questions, because my company offers web application security training to web developers, but that doesn’t make it a less important question. Most developers get zero web application security training that they don’t read off the Internet. So, if you find a third party web developer that knows security well, hire them on the spot. They most likely will take your your web application security very seriously. Again this sort of third party developer is sort of like a purple unicorn, I have never met one that actually exists, but I’m hopeful I will find one some day.

What sort of logs will this application generate?

This is an important one, but often an overlooked part of hiring out a web developer. It does not just apply to security but performance and troubleshooting too. If the web application generates no useful logs for troubleshooting it will be harder to figure out how the application works when it is turned over to you. Also if they’re taking security seriously they will log requests copiously so the logs can be analyzed for attack patterns and possible data breaches, etc. This is a great question to ask up front because a lot of third party shops (and internal developers for that matter) do not take this into consideration. This is one of the most important things you can do to make sure your application has a successful lifecycle.

How will the application handle authentication?

This answer will vary widely depending on if its an internal or external application, and whether or not it will integrate with some third party authentication provider or internal directory. Look for flexibility here, a lot of frameworks will let you “plug in” two factor auth or some other sort of authentication provider. If the developer is resistant to using the framework’s authentication framework in favor of something they wrote be sure to ask a lot of questions about it. Why is it better than the framework’s built in set? The question about bug fixes becomes much more important if they wrote their own authentication routines because they won’t get updated with the framework’s regular patching.

How will the web application handle credit card payments?

Obviously this one depends on whether or not your application requires credit card payments. If the developer does not know what PCI is, for instance, then RUN – do not walk to the nearest exit. Ideally you want the credit card payments to be handled by some sort of payment gateway or third party so you offload the risk of a breach to them. Obviously, you want to take this very seriously and pay close attention to the answers and body language.

Has an application you’ve written ever been “hacked” or breached?

If the answer to this is anything but ‘yes‘ they are either ignorant or lying to you. The response to this question is the most important. If they have been breached how did they handle it? Ask for specifics, look for honesty.

Can I have a guarantee that this application will never be hacked?

The answer to this should be ‘no’. It is a question designed to test the integrity of the web developer you’re asking. No one on Earth can make such a guarantee so if they answer yes then you know they are either lying to you or are just completely ignorant of the answer. Regardless of the reason, ‘no’ is never an acceptable answer.

Those are the ten questions that have worked best for me over the years as I’ve consulted with various companies to help them hire third party web developers. Hopefully you have found them useful as well.

The post Top Web Application Security Questions to Ask Third Party Developers appeared first on Hurricane Labs.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.