Application Security

Application Security: The developerÔÇÖs responsibility

Application Security: The developerÔÇÖs responsibility

There was a time when developers were just concerned about writing the logic around certain requirements, getting those functionalities reviewed from assurance team, working on their feedback and finally releasing the whole application to production. But now the time has come to get more serious about infusing security measures while managing the overall development process.  Isn’t it obvious? According to various studies, the best way of attacking a company's asset is through their web applications.

With more digitization in the offing, the development time is going to come down considerably. Hence, there needs to be an awareness on common design and development flaws which when taken care at initial phase itself, obliterates major chunk of vulnerabilities in the application.

Below are few things to keep in mind:

1. Plan your user inputs:

Unpatched and Unauthorized software are simple backdoor for exploitation

Unpatched and Unauthorized software are simple backdoor for exploitation

To prevent security threats most of the organization implement dozens of top priority security tools. However, Unpatched and unauthorized software leaves a backdoor for hackers which can put business in serious security risks. Over the last decade software vulnerabilities have increased drastically. Most of the security breach Occurs exploiting unpatched operating system, network equipment, Internet-related software, Including add-ins, browser helper objects etc. Organization should maintain Patch management Process and it should be review and update on timely manner. To prevent potential threats, it is the responsibility of every individual in an organization to cooperate and allow IT System Administrators to install latest security patch/hot-fix whenever it releases by software Vendors.

Secure your Cloud with a Security Guard - Select those guards carefully !!

Secure your Cloud with a Security Guard - Select those guards carefully !!

Do you have a cloud based SaaS application? If Yes, Is that SaaS application core to your business? If so, I have the following questions.

(1) How can you enforce your security policies with your cloud connections?  (2) How can you comply with the internal and external regulations such as HIPAA, SOX etc? (3) How would you trust the security controls the service provider offer?  (4) When a user access the application in cloud, how can you get the visibility of what he is doing? (5) How can you ensure that proper authentication and authorization is enforced? (6) How can you ensure that encryption is enforced for both data in transition and data at rest?

35 Security Stats Websites Should Not Miss

35 Security Stats Websites Should Not Miss

Digital analytics is the core of businesses today. What one says is just an opinion if not backed by concrete data. Isn’t it the same with web application security too? Every security professional needs some substantial figures behind the belief that appsec is going to be the most crucial vector for public-facing websites. Here are some key stats that your company should not be missing.

Data Breaches

1. 30,000 websites are hacked daily, which means that around 10 million sites are hacked in a year.

2. 32,323 public Indian website were hacked in 2014 with 14% Y-o-Y increase.

3. 155 .GOV and .NIC domains were hacked last year.

4. 1,000,000,000 (a billion) personal records were stolen globally last year.

5. Around 75% of the data breaches happen at the application layer

Web Application Pen Testing KPIs

Web Application Pen Testing KPIs

Customers expect web applications to provide significant functionality and data access. Apart from the customer facing application, the internal web application is built using more commonly used business tools within any organization. Unfortunately, there is no "patch Tuesday" for custom web applications, so the historical data states that web application flaws play a major role in significant breaches and intrusions. Hackers mostly focus on these high value targets either by directly abusing internet hosted applications or by focusing on web application as targets after an initial break-in.

So to continuously improve enterprise security posture, effective testing strategies need to be developed, effective use of your personnel, most effective use of pen test results to remediate issues and improve processes. The goal of penetration testing is to accomplish business goals, not just check for random holes. 

Typical EVM Delivery Challenges

Winning an assignment is an important milestone in a business cycle, but delivering it to expectations of the client makes the business repetitive and adds more scope for diversification in length and breadth. As for any delivery unit in a classical IT organization, the Enterprise Vulnerability Management (EVM) group within TCS-ESRM faces the typical delivery challenges. I would like to state these challenges using a case scenario and aim to bring to light, the additional effort each individual of this unit had to strive (beyond levels) to ensure timely and appreciable result. 
 

40 Applications in 16 week Challenge

40 Applications in 16 week Challenge

The clock was ticking as the TCS-ESRM-EVM team had to complete security assessments of 40 applications in 16 weeks’ time for a reputed customer. Was it a challenge!! Answer is “Yes” before we started with it but later it felt as if it was a learning experience for everybody in the team.

Delivering within timelines, coping up with the strange but obvious behavior of developers, facing process related issues, logical and technical issues, etc. were some issues among the large list of challenges. It’s so simple and fascinating to hear that we have overcome the obstacle and delivered the project within timelines, yet it has just as been exceptionally hard to achieve this point.

Vulnerability Management - Step 0

Vulnerability Management - Step 0

Compliance is critical, necessary and not evil. Every organization wants to meet the compliance requirements and doing risk assessments, vulnerability management are key to achieve critical requirements.

Most of the times the organizations just see Vulnerability Management as another checkbox in pursue of compliance and forget or ignore many different aspects or they don’t have concrete foundations to carry out a well drilled and oiled Vulnerability Management process and the process complicates or fails mid-way.  Our job is to make the process as smooth as possible and sometimes it is better to start at step 0.

Need for enterprises to have an application to application interface security framework

Need for enterprises to have an application to application interface security framework

In an enterprise you can obviously find many front end applications interacting with many back end applications to expose a business service to the end user. The middleware components like IBM Datapower, Message broker and Enterprise Service Bus (ESB) are must to implement a robust Service Oriented Architecture as they support protocol transformation, security mediation, orchestration and many more.
The count of the Application Programming Interface (API) could go beyond 1000 easily; the data that is flowing in these interfaces could again be a mix of below

Pages

Subscribe to RSS - Application Security