Application Security - An Inside Story - TCS
Application Security - An Inside Story - TCS
Application Security - An Inside Story - TCS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Introduction<br />
Introducing application security is a great responsibility. Let me try.<br />
For the uninitiated this is about doing ‘everything’ to reduce the chances of the application from being<br />
breached. The ‘everything’ then of course fans out to various kinds of security assessments, reactive at<br />
large though. It takes time for the application owners to realize that a major portion of the effort can be<br />
reduced through proactive measures. The realization does not dawn easily and in most cases seen as<br />
unnecessary expenditure in dealing with something which has not happened yet!<br />
Those who are aware of the hustle and bustle of application security, will always come with their own<br />
opinion of how it should be done, they will force a tool and a certain kind of report customized to their<br />
requirement and if that’s not all, will also require a certification or warranty that the application has been<br />
secured and thereby breach-proof!<br />
However from a security group’s perspective it is probably neither. I’ll come back to my favorite ‘building a<br />
house’ analogy. To secure a house which has been in existence for about 2-3 years and where the ecosystem<br />
around it is constantly changing, it is not a one-day job. You have to analyze and visualize the<br />
possible threats and then see what can be done. You have to invite pseudo robbers (i.e. ethical burglars-)<br />
and see what they have to tell you about how easy or difficult it was to break into your house. (Ah! The<br />
black-box mode) or invite another set of experts to look at the inside of your house, look at potential<br />
articles inside which could provoke a burglary. (Ah! The white box mode)<br />
Securing an application is a continuous activity and is not confined to any pre-defined set of activities, at<br />
best you are thwarting a set of rookies from attacking your application, you are never far off from being<br />
attacked by a pro who might have a specific agenda or otherwise! There is not anything full-proof so far<br />
and probably, there will never be but a current application security assessment will at least ensure that<br />
you have taken care of some of the most fundamental loopholes in your application. Looking at high<br />
application breaches in the last 5 years and the type of attacks exercised, it is worth the effort to ensure<br />
that applications go through this fundamental scanning (Ah! The black box mode again!)<br />
Who Needs it and When?<br />
Great! Finally we have arrived at the age old consumer-provider story. Let us find out who needs<br />
application security and who is providing it? Or who should provide it?<br />
There are a lot of stakeholders to an application.<br />
n<br />
n<br />
n<br />
n<br />
n<br />
Owner/Sponsor<br />
Developer<br />
Data Modeler<br />
Database administrator<br />
Server administrator<br />
6