T 2.158 Deficiencies in the development and extension of web applications

If a web application is developed or extended with non-existent or inadequate specifications and standards, then this can result in errors, loss of quality or incompletely implemented functionality. In many cases, errors made in previous development phases of the application are only discovered at an advanced stage of development. The subsequent elimination of these errors often requires comprehensive changes. This can result in a significant increase of the development cost. In the case of fundamental architectural errors, the development of a completely new web application is required.

Furthermore, if there are no specifications for the implementation of security mechanisms, the protection requirements (e.g. high protection requirements regarding availability) of the data to be processed are possibly not met.

The following lists exemplary consequences of non-existent specifications during the development and extension of web applications.

• Due to a non-existent procedural model for software development (Software Development Lifecycle) not all development phases are completed in a structured manner so that security aspects are not considered at all or not until a later development phase. As a result, the quality of the security function deteriorates, with the consequence that the intended security level is not achieved or the development cost increases due to the requirement of subsequent improvements.

• Non-existent programming guidelines (Coding Guidelines) result in an inconsistent structure and different characteristics of programming styles and security mechanisms. This makes it more difficult to become familiar with the program code during extension or maintenance of the web application. Consequently, subsequent changes and extensions become very difficult to implement and, with increasing complexity, more prone to error.

• Due to the incorrect specification of (security-related) test cases and the incomplete selection of test data not all possible applications are covered so that errors remain undetected. If, for example, the component of a web application for filtering input data is tested based on inadequate test cases and test data, incompletely implemented filter mechanisms are not detected.

• If functional and legal requirements in terms of barrier-free accessibility are not met, the use of the web application by handicapped people is restricted.