Web applications need security maintenance

The “Clarity in Code” article about maintenance states that there is a significant cost in software maintenance and that there are 4 reasons for software maintenance. It also has this nice graph:

Picture 1: Ration between development and maintenance costs

Some practical examples of the 4 reasons for software maintenance (adaptive, corrective, perfective and preventive):

  • A bug has been found.
  • A new feature needs to be added.
  • There is a change in a (business) requirements or (business) process.
  • A law about storing (personal) data in the database or about tracking users (using cookies) changed.
  • A company name, VAT percentage, email address or currency changes and turns out to be not configurable.

Let me give you one very important, but less obvious, reason:

  • There may have be security vulnerabilities in the operating system or web framework your application is build upon.

Updating software seems unimportant until the application gets hacked. At that point you, as software maintainer, will be blamed. But how do you make sure your software is secure?

  1. Install (security) updates. Read about them in security bulletins.
  2. Do not run any software that is declared “End-Of-Life” and only use actively developed open source projects.
  3. Have an easy-to-find email address for responsible disclosure of vulnerabilities and respond to it.

Below you’ll find relevant information about security updates for a Ubuntu 12.04 LTS LAMP stack with Symfony2:

And here you can find the release calendar and the End-Of-Life dates:

For a more detailed and complete overview you might want to check the U.S. National Vulnerability Database (NVD) as well. If you run Microsoft software you might want to check the Microsoft Security Bulletins for any of their vulnerabilities. If this all seems like a lot of work, you may consider using a tool like OpenVAS: Open Source vulnerability scanner and manager that will show you the active threats in your network(s).