Application Security is the strategy and actions to prevent security breaches of applications and systems. Because the vast majority of applications are known to have bugs, security issues such as design, development, implementation, and/or deployment flaws, application security is a necessary component of any company’s technology strategy.
In practice, Application Security stands for the use of procedures, software, and hardware to protect applications from external threats. Because more applications are now available over the networks, intranet, and Internet, application security is moving up in the importance of application considerations.
Application Security encompasses the use of software, hardware, and procedures to protect applications from various threats. It’s related to the concept of Information Security, which refers to guarding data, information, and information systems from any kind of unauthorized access, disclosure, modification, or removal.
The purpose of Information Security, in general, is to protect the company’s information assets, as well as confidentiality, integrity, and availability of information. The major components of Information Security are: Confidentiality, Integrity, and Availability—in what’s commonly referred to as the CIA Triad.
Application Security has become a buzz word and its importance grows on a daily basis, affecting anyone involved in technology. Application Security is gaining significance because it’s no longer possible even for those not working in technology to overlook its importance. As security threats gain visibility on the news and media, a company’s executives are forced to face the reality. The more proactive a company is and its management and employees become about Application Security and Information Security, the better the company will do in the future.
Application Security Principles
Following a controlled and principle-based approach to application security involves a number of tasks, which include, but are not limited to:
- Understanding and documenting architecture, design, implementation, and installation of a particular application and its environment
- Understanding the possible threats and security limitations either due to design, coding practices, or the environment in which the application is deployed and utilized
- Working to make sure appropriate coding standards are met to make sure that the application is as secure as possible
- Following the SDLC (System Development Life Cycle)
- Securing networks, databases, servers, and the application itself
- Performing design, architecture, and code reviews with independent groups within the company, such as centralized security groups, if available
- Identifying and establishing the Application Business Owner(s)
- Identifying and establishing the Application IT Owner(s)
- Performance of consistent and regular application and resources entitlement reviews
The list can go on and on, but items listed above need to be followed as the minimum standards for Application Security.
Who Is Responsible?
The ever-lasting question is “Whose job is it really?” It has one simple answer—everyone’s. We are all responsible for making sure that applications are better protected.
What Are We Afraid of?
Threats are everywhere, but when you understand how interconnected applications are within a particular company, you can be more objective in your understanding, assessments, and actions in protecting applications and the company’s data.
Examples of Internal Threats
- Users who try to use applications that they don’t have the proper entitlements to use
- Users who have access to applications but try to perform actions they should not be able to perform
- Users having access to privacy or confidential data regarding the company or its customers, clients, partners, and so on, offering this information to un-related external parties, such as competitors
- Disgruntled employees who are trying to obtain data to get back at their employer
Examples of External Threats
- External hackers trying to hack into systems to steal, damage, or illegally obtain, alter, delete any information.
- Former disgruntled employees whose access may have not been removed to get into systems from outside the firewalls.
No matter what function you hold in the technology industry, no doubt you have been affected by application and information security initiatives in your company. You can be tasked to protect the data, ensure appropriate coding standards, make sure latest security patches are applied on a timely basis, or to turn on logging and auditing controls. All these initiatives are not specific to a particular company or industry, but affect those involved in the field of technology on a daily basis.
Usually, larger companies lead the pack by protecting their systems better, while others follow, but the reality of the more controlled and better secured atmosphere is dictated in many cases by various government and industry-wide regulations as well as general competitive strategies that affect all companies to some extent.
In the world of publicly traded companies, bad publicity is not better than no publicity at all. It results in serious loss of consumer trust and allows loyal customers to flee to direct competitors, and forces companies to pay fines for non-compliance. That’s why so many security and controls initiatives are coming down from a company’s leaderships and affect each and every employee, consultant, vendor, and partner.
As developers, you have mostly been preoccupied with developing robust code that fulfills certain functionality and supports the business as required, working under tight deadlines, swapping hours between multiple projects while management’s directives and priorities often change. It’s been often close to impossible to think about anything else, other than performing a job you are paid to do—develop working code and nothing else. However, these days this is no longer enough.
With management and company leadership on your backs to ensure you are up to the necessary standards of security depending on the industry you are working in, simply creating applications will not allow you to get promoted, get a raise, or to get more responsibilities.
It is a responsibility of everyone in technology to concentrate on security initiatives, and depending on your role, the responsibilities vary, but what’s important to remember, and what many companies are now trying to stress to both new employees and existing ones, is that security is everyone’s business and it’s our job to make sure that our applications and data are secured. Only those who should have access to it have access to it. Security patches are applied to prevent internal and external hacking into the systems, and that those responsible for technological implementations on all levels take security of your systems very seriously.
A number of government regulations and industry standards such as HIPPA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley Act), GLBA (Gramm-Leach-Bliley Act), and CI DSS (Payment Card Industry Data Security Standard) affect how companies do business every day and directly influence how technology is implemented and should be protected and secured.
The Act requires the creation of national standards for transfer of health care data among providers, health insurance companies, and employers. HIPPA has provisions that deal with the security and privacy of health data.
The Act set up standards to be used by all U.S. public company boards, management, and public accounting firms. Particularly, the section on Corporate Responsibility requires senior executives to take personal responsibility in the truthfulness and completeness of the financial reports. The section mandates that the company’s CEO and CFO attest to the accuracy of the financial data reported in the company’s quarterly reports. The section on Enhanced Financial Disclosures requires tighter controls around the company’s financial data and reports and mandates creation of internal controls and audits to protect this data. The Corporate Tax Returns section requires the company’s CEO to sign the company’s tax returns.
The Act’s Financial Privacy Rule provides directives on the collection and disclosure of privacy data (a customer’s financial information). The Safeguards Rule requires all companies to put safeguards in place to protect customer information. Companies are required to have policies that protect customer’s information from security threats. The Act also governs how a customer’s information is gathered and disclosed.
This is a standard that was created by major credit card companies to prevent credit card fraud and protect customers from security threats and vulnerabilities. Companies that process, store, and/or transmit credit card data go through regular audits that confirm whether they are compliant with PCI DSS.
Impact of Regulations and Standards
In summary, these and other regulations make it practically impossible for companies to ignore the security considerations involved in using technology. Because, in many cases, a company’s executive managers have to take full responsibility for the data reported, they need to make sure that the data is absolutely accurate. And, because handling customer Personally Identifiable data is under stringent control from these laws, once again executive management has to put controls and processes in place to safeguard the data as per the regulations. As a result of this, many application security initiatives come down from company’s top management down to all ranks.
In this article, you looked at the definition of Application Security and discussed how it affects companies and technologists. You looked at the legal and regulatory procedures and standards that impact application security. Future articles will look closely at application threats and will discuss what can be done to protect them in greater detail.
About the Author
Irina Medvinskaya has been involved in technology for over 10 years. She has worked on various applications supporting banking, financial, and media companies. She currently works at Guardian Life Insurance Company as a Project Manager, Application Security & Controls.