4. Desktop Transport Network Web Applications
Antivirus
Protection
Encryption
(SSL)
Firewalls /
IDS / IPS
Firewall
Web Servers
Databases
Backend
Server
Application
Servers
Info Security Landscape
Application Security -
Understanding the Problem
Secure Infrastructure
Weakest link
5. Building Security Into the
Development Process
*Graphics from OWASP.com
• Test existing deployed apps
• Eliminate security exposure in
live applications
Production
• Test apps before going to production
• Deploy secure web applications
Deploy
• Test apps for security issues in QA
organization along with performance and
functional testing
• Reduce costs of security testing
Test
• Test apps for security issues in
Development identifying issues
at their earliest point
• Realize optimum security
testing efficiencies (cost
reduction)
Development• Security requirements, architecture,
threat modeling, etc
Define/Design
6. Application Security Adoption
Within the SDLC
Difficulty &
Cost of
Test
% Applications Tested
High
Low
Low High
Security
Team
Security Team
Security Team
QA Team
QA Team
Development Team
Phase 1 Phase 2 Phase 3
Criticality
& Risk of
App.
Development
Team
7. Educating Developers and Getting
“Buy in”
• Establish security accountability and stds for shipping
• Create a “security architect” role
• Create a security community of practice
• Create a secure development portal or wiki
• Conduct hacking demos to demonstrate risks
• Online & offline courses for secure coding
• Put developers through secure coding exams
• Security reviews of real applications
• Pay premiums for security architects
8. Security Framework
Security Governance, Risk Management
and Compliance
WorleyParsons Security Framework
External Representation
Network, Server, and End-point
Physical Infrastructure
People and Identity
Data and Information
Application and Process
Managed
Security
Services
Security
Hardware and
Software
Professional
Services
Physical Security Solutions
Security Governance, Risk & Compliance Solutions
Threat and Vulnerability Mgmt & Monitoring Solutions
Application Security Lifecycle Mgmt Solutions
Identity and Access Management Solutions
Information Security Solutions
9. Application Security
Process Framework
Verify In Production Applications
Design, Develop, Test, and Verify Secure Apps
Educate IT Professionals
Maintain and Publish Policies and Guidelines
Respond to Security Exposure Incidents
ApplyLessonsLearned
10. Application Management – Secure
Infrastructure
NETWORK HOST APPLICATION ACCOUNT TRUST
Architecture
Transport
Network device
Access control
list (ACL)
permission
settings
Operating
system
Services
Internet
Information
Services (IIS)
Simple Mail
Transfer
Protocol
(SMTP)
File Transfer
Protocol (FTP)
NetBIOS/Remo
te procedure
call (RPC)
Terminal
Services
Microsoft
SQL Server
Input validation
Clear text
protocol
Authentication
Authorization
Cryptography
Auditing and
logging
Unused
accounts
Weak or blank
passwords
Shared
accounts
Access
privileges
Rogue trusts
11. Application Layer Requirements
• Input validation
• Session management
• Authentication and authorization
• Design and code review
• Application and server error handling
• Application auditing and logging
• Application backup and restore
• Private data encryption
12. Common Application Development
Issues
• User input validation
• Cookies, authentication, and access
• Passwords
• Access control lists
• COM+ application configuration
• Auditing and logging