Create 3D security for your web and mobile apps
Enterprise applications are the primary source of an organization’s critical assets and processes. As a result, these applications are becoming the primary target for attackers; a fact that, in the face of more sophisticated and numerous breaches, makes software security more important than ever. Unfortunately, many organizations tend to restrict themselves to application security and network penetration testing to mitigate these threats, a process that merely mitigates threats from an external agent leaving applications exposed to multiple internal threats. As a result organizations operate under a false sense of security and leave their system open to breaches.
The purpose of this blog is to answer the following questions:
- What is the security awareness quotient of your developers?
- Does your current process ensure security of the application?
- How do you ensure application and data security after it is decommissioned?
What can your organization do?
Many organizations use software security programs focus on pre-deployment penetration testing, late in the Software Development Life Cycle (SDLC) with the aim of detecting implementation bugs and bolting on security controls. However, organizations are now learning that software security needs to be integrated within the development process and preventive measures established early in the SDLC to prevent flaws from the start.
When it comes to internal threats these include a malicious developer, privilege abuse, logic bomb, data theft etc. Control of these threats requires security beyond technology that can cover the process around application development. Enter Software Security Assurance Program (SSAP), a process that addresses this issue through a systematic and structured approach. SSAP ensures three dimensional security of the application covering people, process and technology. The framework provides direction on the security controls required; based on the application category and most critically for the business and organization.
How does SSAP work?
SSAP begins with setting up a governance structure for the application security through policies and clearly defined roles and responsibilities for the teams involved. Elements of the program include: Governance, Intelligence, Secure Software Development Lifecycle Touchpoints and Deployment. Through SSAP, every phase of the application; development, testing and maintenance is made secure. Application security can be tailored to the organization depending on the business and regulatory requirements identified. Then, based on requirements, the application architecture will be designed to ensure all possible security threats are protected.
Awareness and training
Before the development phase begins all application developers need to be made security aware and trained on secured coding practices that can be implemented in the development phase. Segregation of duties and environment during development and testing is taken care of through this program. Controls such as technical security of secure source code review, application security testing and application architecture review will be performed at the testing or UAT phase. At this stage required processes for controlled changes to the application and controlled deployment will be defined. Once the application is live or in a production environment, technical and process security controls to be performed are identified. Most organizations tend to ignore the security threats to the application once it is decommissioned, a consideration SSAP is designed to consider as part of the process.
What are the benefits?
Organizations that incorporate software security program into their existing system can cash in on the following benefits:
- Reduced cost on security initiatives during application development
- Better turnaround time for application releases
- Improved security awareness amongst application stakeholders
- Multi-layer (application, infrastructure and network) security for the application
- Automatic SOX compliance