There is a disturbing trend in Internet threats, hackers are attacking at the application layer. Router ACLs, firewalls, demilitarized networks, intrusion detection software, all for naught... The malicious traffic complies with TCP/IP and follows the enforced path restricted by network gear. Layered network controls are still an absolute requirement. The application layer must be hardened as well.

Here is how I recommend approaching application security:

1. If your organization does not have secure coding standards, now is the time to establish them. Use the OWASP top ten web application security vulnerabilities to start (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).

2. The WebGoat teaching environment is useful for those unfamiliar with application vulnerabilities (http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project).

3. Involve the security team in all phases of development and build security controls into applications from the start. This will also save money as it is costly to "bolt on" controls later.

4. Establish the data flow and follow the risk. Encrypt sensitive information in transmission, on disk and in backups.

5. Use strong authentication to defeat phishing attacks (e.g. two-factor or multi-factor authentication).

6. Log security events and transactions. Monitor for application attacks.

7. Conduct application penetration testing (outsource and/or train).

8. Conduct code reviews before publishing to production.

9. Harden commercial apps supporting the custom application (e.g. turn off the administration console when not in use and prevent its use via the Internet)

That should be enough to get you started. Feel free to contact me off-line.

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, SCSA
Charlotte, NC
gideon@...

National Security Awareness Day - September 8, 2006 - Are you aware?
http://www.securityawarenessday.org

Posted: Tue Mar 28, 2006 3:34 am

Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices