Considerations for Application Security Program
Application security is the use of software, hardware, and procedural methods to protect applications from external threats.
The goal is either preventing unwanted events or ensuring desired events.
There are a number of factors that can threaten an application’s security ranging from application design, data transmission, patching, access, encryption, provisioning and others.
Key steps can be taken to form a comprehensive application security program which helps organizations understand their exposures and provides specific steps to reduce the risks.
Some specific items to consider for your Application Security Program include:
- Conducting an Application Inventory
- Using a Secure Software Development Lifecycle
- Ensuring Propoer Application Access and Data Classification Levels
- Planning for the safety of your Data Transmission and Encryption
- Backup and Maintenance
- On-going Employee and Contractor Education
IT organizations need to understand exactly what they are responsible for supporting. Basic questions include: Where are my applications? What do these applications do? Who are the application owners? What technologies are needed to support these applications?
Secure Software Development Lifecycle
Adopt a secure software development methodology. A robust methodology should address the security issues related to requirements gathering phase, the design process and implementation. Best practices such as conducting code and peer reviews, testing for functionality, vulnerabilities and penetration testing should be utilized.
Application Access and data classification
Every application in the inventory should have an assigned application and data owner to establish accountability and authority. Access rights must be granted by the application or data owner taking into consideration the data classification, data sensitivity, security level and job functions. Role based authorization can enforce security policies and segregation of duties, and therefore is encouraged.
Data transmission and encryption
An organization may have different requirements for data transmission. Where data transfer is over internal networks, an organization may assume that both data confidentiality and data integrity must be considered. Should data encryption be used for data at rest? What about data in transit? To answer these questions the organization should utilize a risk assessment and a data sensitivity level analysis to determine the needs and types of data encryption required. There may also be budget and performance issues to consider.
Backup and Maintenance
Organizations need to ensure that the application data is properly backed up and conforms to the organization’s backup and data retention policy. Backup/Restore and Archive/Retrieval mechanisms must be fully tested and documented.
Continuous Employee Education
An effective IT security awareness and training program explains the expected proper behavior for the use of the IT systems, applications, and information.
No application is 100% secure and no environment is 100% risk-free. An effective IT application security program, part of an overall security program (we will discuss the overall security program in another blog), is crucial to identifying application security exposures and reducing risks. While satisfying compliance and business requirements, new technologies such as a mobile devices’ accessibility to corporate data make securing applications and data even more of a challenge. The application security program, like other sets of IT policies and processes, need to be reviewed and revised to meet the needs of an ever changing technological world.
We have preparred a compendium whitepaper titled "Considerations for Application Security Program" where we discuss further the major topics introduced above.