Is Your Application Security Up to Spec?
Get the lowdown on an effective strategy for defending application security.
by Alex Smolen
June 23, 2005
Legislation such as the Gramm-Leach Bliley Act and the Sarbanes-Oxley Act has generated much interest and anxiety regarding corporate security. Essentially, this legislation mandates security by threatening steep fines and requiring information disclosure for any company that allows security breaches to impact private data. However, the recent legislation does not explain how to secure this data, and companies are struggling to solve the information security problem.
A typical first step is to examine the network infrastructure for security vulnerabilities. This is probably not the best approach, considering that the majority of exploits are not at the network level. In fact, according to Gartner, 75 percent of the malicious hackers are walking through the front doors—the insecure applications that companies use to access their data.
Unfortunately for organizations faced with mandates for security, application security is not only critical but also difficult to achieve. Application security has steadily ascended in priority as a requirement for enterprise software, growing from a customer trust issue to a serious matter of legal culpability. As CSOs and CIOs redouble their efforts to formulate a security solution that is both cost-effective and compatible with existing business models, the myriad of offerings, methodologies, and guidelines can seem overwhelming and untenable. It is exceedingly difficult to find a comprehensive, manageable solution to what is by nature an unclear problem.
From this standpoint, asking "Is your enterprise application secure?" is a rhetorically vague question. Because the overarching goal of security is to identify, evaluate, and mitigate risk, attempting to achieve complete security without an idea of what systems to secure and what threats to defend against is likely to lead to blown budgets or, worse, an exploitation of a thinly applied security solution. To get a grasp on an application's security (or vulnerability), an organization needs to understand and communicate what threats are most important to guard against and what defensive strategies are necessary.
This article explores the general challenges associated with application security, then introduces one effective strategy for defending application security: integrating application security into the development lifecycle by defining and enforcing a security policy.
Application Security Challenges
One of the challenges associated with safeguarding application security is establishing who should be responsible for it, and what this responsibility entails. If security exploits are three times more likely to occur on the application level than on the network level, is a developer three times more likely than a network administrator to be responsible for a security breach?
This question should merit serious consideration about the lack of emphasis placed on secure development. Any competent system administrator knows that systems need to be configured for security, patched regularly, and protected from hackers. It is becoming increasingly evident that developers, architects, and testers need to learn about security to deliver successful and compliant applications. Furthermore, their efforts need to be coordinated so that security mechanisms are consistent and centralized.
In an effort to prevent security breaches and the negative publicity that accompany them, some organizations are turning to external security experts, who are asked to "ethically hack" the organization's application to find any vulnerabilities preemptively. Although this strategy can be useful as a kind of smoke test to determine if any flaws have been overlooked, it is fundamentally treating the symptoms rather than addressing the cause. The management of application security is neither effective nor efficient when it is applied like aftermarket protective coating. Instead, it should involve controls to prevent vulnerabilities from creeping into applications, as well as efforts to make security a key concern during the design and testing phases.
Back to top
|