Because computers are an important component of any business, they need to:
Be reliable.
Be able to withstand security attacks.
Provide a feeling of confidence to both businesses and individuals that their data is secure
Source of Attacks.
Workforce mobility is increasing, and consequently, the way in which employees connect to your company’s network is evolving. Employees connect in a number of different ways, including traditional wired connections, new and evolving wireless network standards, and dial-up and broadband virtual private network (VPN) connections. The variety of ways your mobile users connect to your company’s network introduces a number of security concerns.
Applications are becoming increasingly dependant on connections to the Internet, for updated data, Web services, and so on. The Internet is a potential route to your systems for attackers and viruses. Many businesses require a persistent connection to the Internet so that they can provide Web sites, File Transfer Protocol (FTP) site, and Web services. As already stated, the Internet is a potential route to your systems for attackers and viruses
There are many types of attacks which need more pages to explain. Point of this article is to generate an idea on Secure Application Development Practices. Even if you have the most secure network infrastructure possible, with completely hardened servers, a simple vulnerability in your application (for example, failing to validate input) renders all of that useless
The Developer Role in Application Security
Solution architects, developers, and systems administration personnel must all work together and take collective responsibility for security.
Developers must adopt good practices that ensure the production of secure software. They must be knowledgeable about security vulnerabilities and how to avoid them, and must have both a broad and deep knowledge about security technologies and how to use them in order to create secure solutions
Developers must:
Work with solution architects and systems administrators to ensure application security
Contribute to security by:
Adopting good application security development practices
Knowing where security vulnerabilities occur and how to avoid them
Using secure programming techniques
The SD3 Security Framework
Secure by Design
Secure by Default
Secure in Deployment
- Secure architecture and code
- Threat analysis
- Vulnerability reduction
Attack surface area reduced
Unused features turned off by default
Minimum privileges used
- Protection: Detection, defense, recovery, management
- Process: How to guides, architecture guides
- People: Training
Secure by Design means that you have taken the appropriate steps to ensure that the overall design of the product is secure from the outset. Include threat modeling at the design phase and throughout the project to identify potential vulnerabilities. Use secure design, coding, and testing guidelines.
Secure by Default means that the product is released so that it is secure out of the box. If features are optional, and you can turn them off by default. If a feature is not activated, then an attacker cannot use it to compromise your product. Ensure that only the least amount of privilege is required by user accounts to run your application. Then a compromise can have less serious consequences than if an attacker is able to run malicious code under an account with administrator privileges. Ensure that effective access controls are in place for resources.
Secure in Deployment means that the system is maintainable after installation. If a product is difficult to administer, it makes it more difficult to maintain protection against security threats as new ones evolve. Ensure that users are educated to use the system in a secure manner. If security vulnerability is discovered and a patch is necessary, ensure that the fix is fully tested internally and then issued in a timely manner.
Thank you for your time and interest. It’s just a step to explain today’s trend in application development, and most of you aware with this. Any comments and questions are acceptable. (maneeshpnair@msn.com). Forthcoming articles include Secure Development Process, Threat Modeling, Risk Mitigation and Security Best Practices (Visit: http://maneeshpnair.spaces.live.com/ , http://maneeshpnair.blogspot.com/ , http://360.yahoo.com/maneeshpnair )
