Join Mike Chapple for an in-depth discussion in this video Application security, part of CISSP Cert Prep: 8 Software Development Security (2015).
- [Instructor] The world runs on software. Applications control almost every aspect of our lives, ranging from the software that flies airplanes to applications that dispense money through ATMs. Software developers works hard every day to bring automation and integration to many aspects of our lives. Our increasing dependence on software makes it increasingly important that we use software that is known to be secure and reliable. Recent news items have underscored the importance of software security.
In one case, a computer security researcher allegedly hacked into the navigation system of an airplane through the in-seat entertainment system and caused the plane to briefly fly sideways. It's fortunate that his motivations weren't sinister. If he truly had control of the aircraft's flight mechanisms, he could just as easily have crashed a plane. And hardly a day goes by that we don't see announcements of major application security vulnerabilities that threaten the confidentiality, integrity, and availability of information and systems that we manage.
The details of software security vary quite a bit depending upon how organizations acquire their software. In many cases we purchase software from known vendors like Microsoft, Adobe, and Oracle. In other cases we develop our own software, customized to meet our specialized business needs. We have security responsibilities in either case. Application Hardening is one of the core principles of software security. Cyber security experts must carefully test software to ensure that it is locked down as much as possible and safe against attacks.
Some of the key principles of Application Hardening are ensuring that applications use proper authentication to validate the identity of users, that applications encrypt any sensitive data so that attackers can't read it by accessing the underlying storage directly, ensuring that applications validate any user input to ensure that it does not contain dangerous code that might jeopardize the security of the software or underlying computing infrastructure and ensuring that applications are not vulnerable to any known exploits.
And when exploits are discovered that they are promptly corrected. One of the ways that organizations correct software vulnerabilities is promptly applying security patches after they are released by software vendors. Developers of major applications frequently receive reports of security issues in their software and issue corrective patches designed to prevent future attackers from exploiting the vulnerability. Once knowledge of a vulnerability becomes public, organizations that still run the unpatched code are especially vulnerable to attack because the news is out there and attackers may actively seek out organizations that are slow to correct security problems.
Application patch management is a critical security control. Organizations also often have quite a bit of control over the configuration of application security settings. For example, when an organization runs a complex Enterprise Resource Planning, or ERP system, they often make configuration choices, such as the type and scope of encryption used on disks containing ERP data, the users who will have access to the ERP and the authentication techniques they will use to connect, the scope of access authorized for each user who has access, and the security of the databases, servers, networks and other infrastructure supporting the application.
Configuring all of these settings is a complex undertaking and involves many different configuration parameters. One of the best ways that organizations can manage this difficult problem is through the use of configuration baselines that allow a quick comparison between the current settings and the desired security profile. If the current settings deviate from the security's standard baseline, administrators may then take action to remediate the vulnerability and restore the application to its secure baseline.
- Learning about different software development methodologies
- Operation, maintenance, and change management
- Understanding cross-site scripting
- Preventing SQL injection
- Overflow attacks
- Malicious add-ons
- Secure coding practices
- Code signing
- Risk analysis and mitigation
- Software testing
- Acquired software