Application security - The ACE View
As business process automation started to take hold in the early 1990s, organizations began to replace people with software programs. These early software programs automated some of the not so important business processes and those that could still be performed manually even if these software programs failed. As time went by and enterprises realized significant cost savings in deploying such software programs these software programs started becoming more and more prevalent in the day-to-day business operations. Along with this transition these software programs started performing more and more important business processes and those that could not be performed manually if these software programs failed. As a result businesses started relying very heavily on the proper functioning of these software programs. In today's current IT environment these software programs now called "Line of Business" applications are crucial to the daily operation of the business. Any malfunctioning of these applications can result in a loss of business/revenue to the enterprise. In fact quite often we find that enterprises have dedicated IT support staff working around the clock to ensure that these Line of Business applications are functioning correctly.
In today's highly competitive world where enterprises are trying to cut costs, we notice that they are trying to automate more and more business processes and roll out software programs to automate business processes at break neck speed. This craze of rolling out Line of Business applications with such a fast development life cycle results in the presence of many vulnerabilities in these applications. These vulnerabilities are not only a source of increased failures for these crucial software programs but they are also an opportunity for hackers to gain access to crucial business data. One must remember that these Line of Business applications handle data that has very high business value; users do not hesitate to type in private or financial information when interacting with these applications. Hence vulnerabilities in these applications that are discovered by attackers are far more critical and can cause far more damage to the business than vulnerabilities in other standard applications.
Security companies have been trying to secure these applications for quite a while. But their efforts have thus far been on securing the perimeter and the host machines and have not been directly targeted towards the application itself. These efforts include the plethora of host based intrusion detection systems, network based firewalls and other similar software. Only recently as security companies have matured we slowly notice a trend emerging that they are beginning to pay more and more attention to securing the application itself rather than the perimeter surrounding it. In recent times we have seen a lot more effort directed towards securing the application directly and this is what we call "Application Security".
Now, that we have given a history of how the term "Application Security" evolved, we need to mention that none of the security companies agree on a single process to perform "Application Security". Each security consultancy company performs "Application Security" as how it deems to be best. There are a wide gamut of tools that are also being sold to assist in "Application Security", but a discussion of those tools is a whole another article. I wont get into the details of the different steps involved in "Application Security" in this article.
But, what I would like to mention is that we would like to see a common methodology for performing "Application Security". In order to facilitate this we the ACE Team will soon be launching a community website which focuses on "Application Security" (ie - how to secure your Line of Business applications). This community website will allow security practitioners, developers and other interested companies and individuals to discuss the issues with Application Security and the various steps involved in it.
Please do mail us and tell us about your interests and what you would like to see on this community website that we are planning on setting up.
Deepak Manohar
Security Technologist
PS : As blogs are supposed to be personal as well - for more personal information about me visit my website. The information is a little outdated.
- Anonymous
November 10, 2006
Hi there, isn't your SDL process or that http://www.securityenhanced.org/default.aspx such kind of Application Security?! best regards, PSchuetz