Application Security

As an organisation’s understanding and implementation of information security matures the profile of threats changes which can lead to a false sense of security. For example most mature organisations now have a two tiered external firewall perimeter protecting the internal infrastructure. While this offers a higher degree of protection at a network layer, external would-be attackers, following the path of least resistance, have begun to shift up the network stack and now threaten the application layer.

The threats to the business are clear. Internet-facing applications are highly visible business systems, both to the customer and to the perpetrators. These systems are generally mission critical systems and perform a range of functions such as storing sensitive customer data, presenting the company brand to the world or processing high transactions volumes and/or amounts.

By their accessible nature, Internet facing applications are an easy target however due to the complex nature of the application, the perpetrator is presented with a multitude of attack vectors. The business logic, which resides at the application layer, often leaves the application susceptible to complex logic flaws. In addition to this, human error during the development may also expose the application to garden variety injection, authentication, authorisation and denial of service attacks.

Integrating risk management practices into the system development life cycle (SDLC) is a central tenet of ensuring application security. As most IT organisations have tight budgets for information security, spending must be reviewed as thoroughly as other management decisions. A well-structured risk management methodology will ensure the most appropriate controls are put in place in a cost effective manner.

Application security assessments against globally recognised principles is a key component of application risk management. One such industry standard is the Open Web Application Security Project (OWASP) “Guide to Securing Web Applications and Services”. This practical guide covers many aspects of application security from secure coding principles to authentication to web services.

For more information regarding Application Security, please contact us.

Further reading