Web application security - the fast guide 1.1 | Page 174

Chapter 9 - Secure Application Development
P a g e | 174
9.1 Injecting security - Penetration and patch approach
Figure 64: penetration and patching cycle approach
Web application security in comparison:
even though web applications considered as cursed with openness to world and
public access difficulties in addition to short development cycle but it still has
many advantages on from patching and recovering point of view.
The traditional application patching is done by providing a patched version and
hopping that users will download, in time where any needed patch to the web
application can be done directly by uploading the patched version to the server.
so an acceptable solution is to apply the penetrate and patch approach searching
for vulnerabilities and trying to patch.
The problem of this approach is the related cost, as discovering vulnerabilities at
the production time will cost according to many studies thirty times more than
its cost at the starting phase and each patching and release cycle will derive the
need to retest that the patching did not cause other vulnerabilities or cause a
functionality issue.
9.2 Security centric approach
The penetration and patching approach can be an acceptable approach in many
scenarios specially when a limited development period, but why waiting till the
end, why not enforcing the security from the beginning as an essential part of the
development cycle.