Applications drive the business needs of an organization. Most of these applications, which are supported by the system that runs it, and the network that distributes it, need to be available on a 24x7 basis to the organization. Application security is one area that most organizations need to be concerned about to ensure uninterrupted availability for business continuity. A breach because of application level vulnerabilities and/or the infrastructure on which it runs, can potentially cause loss of intellectual property, a decrease in productivity, potential legal liabilities, and most definitely affects market sentiments towards the organization.

Applications are the top most layer in the IS infrastructure and is the information processing unit. All other parts of the infrastructure including networks, operating systems and databases are enablers. The application controls who uses the system, what authority is available for each class of users, the business rules that need to be processed for any transaction and the data that can be accessed by a user. Today, there is an increased number of attacks happening from internal to the organization with 70% of security breaches being attributed to internal users. One of the commonest forms of internal attacks is misusing application security. If you as a company are concerned about internal attacks, application security has to be on the top of your agenda.

To know how you can protect your organizations invaluable assets, an application security policy needs to be developed and audits undertaken on a regular basis. In this months article, we explain how and what comprises an application security audit.

Chief Executive Officer

Applications are the top most layer in the IS infrastructure and is the information processing unit. All other parts of the infrastructure including networks and operating systems are enablers for the application. Typically applications are not developed with security built, which makes these applications vulnerable to security breaches. A security breach in the application could lead to extremely high losses.

To protect against such security breaches the gaps/ vulnerabilities in the application need to be identified and plugged either using technology controls or using administrative controls.
The first step towards securing an application would be to identify the weak points in the application and its underlying infrastructure. Such an exercise would help in focusing the efforts of the security exercise and strengthen the application.

An Approach for Application Security Audit

To understand the weaknesses one must first understand the system inside out. The study must take into consideration inputs from the top management, business owners, IS team and business users. This would help understand the workflows within the application and also the architecture.

Subsequently the various areas of the application such as data storage, access control, checks for data integrity, interface with other applications and devices must be studied in detail. The various aspects considered under each of these would depend on the exact nature of the application, i.e. on whether its for intranet, e-commerce, client-server and host-centric applications.

The database connected to the application should also be considered and some of the aspects to be taken into consideration are Authentication Policies and Authorization Parameters.
An application is only as secure as the host on which it resides. The host must be scanned using commercial or enhanced open source tools to identify the vulnerabilities. The host should be scanned for improper file and directory shares, registry settings, weak passwords among others.

Apart from the above mentioned aspects the various processes followed for the development, maintenance, support, operations and disaster recovery must be reviewed and compared to the security best practices and BS 7799/ ISO 17799.

The existing security policies and controls implemented in the Application and Infrastructure must be compared with Security Standards such as BS 7799/ ISO 17799. The gaps in the existing scenario need to be identified and an action plan made to rectify the same.