Enterprise Security Trends Blog | HP Blogs
Keep up with the latest cyber, consumerisation, collaboration and cloud enterprise security trends from the team of HP information security professionals.

Are your applications securely holding the fort in your enterprise?

Adversaries are always on the prowl to penetrate the perimeters of the enterprise through the demilitarized zones, the intranet, the servers, the operating systems, the applications and finally, the data. Their overall goal is to gain access to the underlying data, which has even more value and context when accessed through the applications layer. Once the applications security is compromised, there are really no more layers of protection—since it opens up unfettered access to the data. Therefore, the applications layer has to hold the fort in your enterprise and be on guard should the outer perimeters be penetrated.

 

Application Security.pngHP Distinguished Technologist, John Diamant points out that applications continue to represent one of the weakest links in enterprise security in his interview on SecuritySolutionsWatch.com. So, what steps can enterprises take to address this challenge? The “Application security in the SDLC session by Kevin Poniatowski from Safelight Securityat HP Protect 2013provides some pointers. “Application security is not an add-on or a plug-in. It is a process that must be included in all phases of the development lifecycle to mitigate risk,” Poniatowski writes. What exactly does this mean within each phase of the Software Development Lifecycle? Let us take a look.

 

Analysis. Along with functional requirements, the non-functional requirements—including security—must also be determined for an application before it is architected. This includes a gap analysis of security regulations and best practices that apply to individual applications. Doing so would make it easier to justify the cost of enforcing the right security measures in alignment with these requirements.

 

Architecture. Security is an integral part of the Enterprise Architecture (EA) DNA. High-level view of the architecture for threat modeling and attack surface analysis must be used to identify weaknesses in the structure and design, which correlate directly into security vulnerabilities that are likely to be coded or configured into an application.

 

Build. Application designs must also address the not-so-happy what-if scenarios as well. Model-driven approaches work well to proactively anticipate security violations, ensuring the right measures are in place at design time. Tools must be used to effectively scan the source code for vulnerabilities.

 

Test. “You can’t rely only on testing scenarios to find and fix all of your existing application vulnerabilities,” Diamant cautions. We must still test and fix security flaws even though they are reactive measures that should have been preempted in the preceding phases.

 

Sustain. Applications meet infrastructural components of network and storage, which open up additional intersection points — a fertile ground for violations. Independent validations and verifications of existing applications must be performed to proactively identify gaps, and therefore vulnerabilities.

 

The 9th Annual HP Security user conference, HP Protect 2013 provides an opportunity to attend about 150 technical sessions on Enterprise security that comprehensively addresses various aspects including Network, Data, Software and Information and Event Management.

 

What measures are you taking within your enterprise to proactively enforce application security across the Software Development Life Cycle (SDLC)? Please consider attending the Application security session to check out other options.

 

Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.

 

nadhanHP Distinguished Technologist, E.G.Nadhan has over 25 years of experience in the IT industry across the complete spectrum of selling, delivering and managing enterprise level solutions for HP customers. He is the Chief Architect for the standardized framework of processes and tools that HP Enterprise Services uses to deliver world-class applications solutions.

Twitter handle @NadhanAtHP.

 

HP Protect 2013

Comments
Blackheath Locksmiths | ‎09-06-2013 03:44 PM

A very interesting article and well written :smileyhappy:

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.