Subscribe
About

It starts at home...

A systematic approach is required to stay ahead of the threats that exist in the application space today.

Clive Brindley
By Clive Brindley, solution architect and pre-sales manager within the BTO business unit at HP Software + Solutions SA.
Johannesburg, 14 Sep 2010

I find it really interesting how one can often draw parallels between what might seem very diverse activities - for example: jobs, careers and events. Another diverse parallel that comes to mind is flying a plane and managing the security posture of critical business applications - both are very similar. Let me explain...

As the now six (of the previous four) readers of my monthly Industry Insight will deduce, I love the movies and I'm a keen aviator (not the Aviator, as acted in by Leonardo Dicaprio, but a very keen one nevertheless). There are other interests I have, but these two are my first loves (beyond my family and friends of course).

Driving to the recent Airforce's 90th anniversary airshow at Swartkops airforce base, I started thinking about how the pilots who will be displaying their craft would be having breakfast and reviewing in their minds their forthcoming sequences, checks and safety procedures.

Cruise control

Flying a plane does not start when you step into the cockpit - it begins when you wake up in the morning. It is all about preparation, planning and attitude. As I watched the Mirage 111CZ fly past, I was thinking how the pilot was trying to stay ahead of the aircraft. At 500 knots, bad things happen very quickly - if you are not ahead of your aircraft, it will get ahead of you and potentially spoil your fun for the day.

The exact same parallel can be drawn to the domain of application security. Having visited a customer recently, it was refreshing to see the preparation, planning and attitude they have adopted in order to manage the security posture of their critical business applications. While they already had numerous security systems, devices and policies in place, they were taking a very serious and methodical approach to how they were securing their applications. Statistics show that 60% to 70% of all major hacks are at the application level, and the numbers are not getting any better.

The types of applications, their complexity and rate of change makes it very challenging to stay ahead of those unethical wrongdoers that exist in the ether of the World Wide Web (not to mention the internal attacks which happen too). A systematic approach is required to stay ahead of the threats that exist in the application space today. It starts at home as well. Preparation, planning and attitude are part of a holistic approach to managing the security posture of critical business applications.

A systematic approach is required to stay ahead of the threats that exist in the application space today.

Clive Brindley is solution architect and pre-sales manager within the BTO business unit at HP Software + Solutions SA.

Here are some guidelines to consider when establishing an application security centre of excellence (COE):

* Define a formal security policy for application development that links into the overall security framework and policy standards for the organisation.
* Develop a training programme for application developers and consider tools that help assess application code as developers build the applications.
* Integrate security testing into the overall application quality management process and tools. Remember the three pillars of application quality need to work together, namely: functionality, performance and security.
* Periodic application security assessments for production applications. Trust me, even if they have been tested in QA, there will be differences in production.
* Deploy advanced, integrated security management solutions/tools to help automate the testing of applications. Do not attempt this alone. Companies do not write their own anti-virus signatures for their desktop and server anti-virus solutions, so why would they do this for critical business applications? Leave it to the experts.
* Develop a risk scoring matrix that can be used for prioritising security testing. Time is always an issue and testing normally takes a back seat (sad but true). So make sure the company is testing the business critical and high risk applications before others.
* Extend the current QA team to include security testing as part of their day-to-day activities. If budget allows, consider dedicated security testers. However, the importance of overall QA integration cannot be understated.

There are numerous other points to consider, but these are the top-of-mind and most salient ones. There are many legends in the field of aviation - Chuck Yeager, Neil Armstrong and our own Scully Levin, for example. They all have something called 'the right stuff'. Here's your chance to prove yours... Happy flying!

Share