As an organizations’ understanding and implementation of information security matures the profile of threats changes which can lead to a false sense of security.
For example most mature organizations now have a two tiered external firewall perimeter protecting the internal infrastructure. While this offers a higher degree of protection at a network layer, external would-be attackers, following the path of least resistance, have begun to shift up the network stack and now threaten the application layer.
The threats to the business are clear. Internet-facing applications are highly visible business systems, both to the customer and to the perpetrators. These systems are generally mission critical systems and perform a range of functions such as storing sensitive customer data, presenting the company brand to the world or processing high transactions volumes and/or amounts.
By their accessible nature, Internet facing applications are an easy target however due to the complex nature of the application, the perpetrator is presented with a multitude of attack vectors. The business logic, which resides at the application layer, often leaves the application susceptible to complex logic flaws. In addition to this, human error during the development may also expose the application to garden variety injection, authentication, authorization and denial of service attacks.
Integrating risk management practices into the system development life cycle (SDLC) is a central tenet of ensuring application security. Security measures are incorporated throughout the development cycle of an application to minimize the possibility that hackers can access, steal, delete or modify sensitive data. Most common counter measures are firewalls, routers, switches, Encryption / Decryption programs, Anti Virus programs, Spyware detection / removal programs, Authentication systems.
As most IT organizations have tight budgets for information security, spending must be reviewed as thoroughly as other management decisions. A well-structured risk management methodology will ensure the most appropriate controls are put in place in a cost effective manner.
Application security assessments against globally recognized principles are a key component of application risk management. One such industry standard is the Open Web Application Security Project (OWASP) “Guide to Securing Web Applications and Services”. This practical guide covers many aspects of application security from secure coding principles to authentication to web services.
Caresoft Security practice, has a proven experience in assisting clients integrate risk management activities into the phases of the SDLC. Our information risk management and technical teams can assist with the provision of:
- Security architecture reviews
- Secure application development training
- Technical Risk Assessments
- Application BCP/DR planning
- Low-level technical reviews
- Reverse engineering
- Line by line code analysis
