Application Security: Four Key Steps
A Common Target
“Applications are one of the most common targets for attackers because of the large surface area they present on the network,” says Josh Shaul, vice president of product management at information security vendor Trustwave. “Think of your applications as the things attackers are most likely to attack and build your breach prevention strategy from there.”
Organizations should begin addressing application security risks by analyzing their systems for the most commonly exploited vulnerabilities using the Open Web Application Security Project’s 10 most critical Web application security risks list.
“The OWASP Top 10 is a well-regarded list that can be used to establish a good foundation of security around any applications,” says Ben Desjardins, director of security solutions for application security firm Radware.
Among the top vulnerabilities included on the list are injection flaws, broken authentication and session management functions and cross-site scripting.
After understanding what the top vulnerabilities are, developers should be trained and educated to address application security gaps early on.
“Typically, application developers do not have extensive knowledge in networking or security because they are not taught these subjects in college or on the job.
As a result, developers should be trained on the proper use of the common APIs and libraries, as well as how to avoid coding vulnerabilities into applications, Evans says. “Once trained and educated, developers more often than not embrace this knowledge and incorporate these secure practices into everything they code.”
To ensure the quality of the application, developers need to define the security requirements in the same language as other requirements for the application up front before the coding begins, Murray says. “Make certain that the application owner understand and accepts all the residual security risk at the time of first use.”
Quality control and assurance testing should be applied to all custom-coded applications that interact with the Internet and all critical custom applications that are internal to the organization. This process subjects the code to analysis and review for well-known vulnerabilities, unused code and malicious code.
The growing use of mobile devices, including tablets and smart phones, which often contain more applications than a desktop PC, means mobile app security must be a new risk management priority, says Domingo Guerra, president and co-founder of application risk management firm Appthority.
“The number of apps per device has grown exponentially compared to laptops and desktops,” he says. “Instead of 10 applications per device, we see between 50 and 200 apps on each employee smart phone. These factors, as well as the growing number of risky behaviors found in popular apps, means that application security is now more important than ever.”
The application security program should include these steps:
Automatically remediate devices that have apps that are out of compliance.
Address: Plot 1672 KarimuKotun Victoria Island Lagos.
Phone: +234 814 549 4415