Code surety: Secure by design

Powered by SC Magazine
 
Page 1 of 4 | Single page

Total security of applications is probably a pipe dream. However, starting a secure design framework today will markedly improve applications in the future, reports Deb Radcliff.

Applications are anything but static. They may start out with one set of functions, then elements are added on and merged with other applications. As they grow more complex, their vulnerability density increases – a particular problem for applications hosted on the web and migrating to the cloud.

“Web applications are the top attack target because they're so difficult to protect,” says Jim Manico, volunteer connections committee chair for the Open Web Application Security Project (OWASP), and VP of security architecture for WhiteHat Security. “Today, cloud deployment is all web driven, meaning cloud and web application vulnerabilities are on a direct collision course.”

Developing a “secure by design” framework for these technologies is challenging enough, says Michael Coates, volunteer OWASP chair and director of security assurance for Mozilla. Once developing organizations get their new applications under a trusted framework, the next hurdle is maintaining a safeguard posture as those applications change over time and move into the cloud.

Already struggling to ensure their web applications are protected, the majority of security and compliance professionals believe the current trend of deploying to the cloud invites further vilnerabilities, according to a 2011 data security in the cloud survey of 1,000 security and compliance by the Ponemon Institute and encryption vendor Vormetric. In the survey, less than 40 percent of respondents trust their own technologies to secure their sensitive data in the cloud – and less than one-third encrypt their sensitive data in the cloud.

Further, encryption is a cornerstone design point that should be considered in applications with sensitive data, yet it is one of the most difficult processes to achieve in the cloud, say experts.

What other elements are needed in a secure design plan? It depends on who you ask, what vertical industry they are in, what type of cloud or web services they're designing, and so much more, say Manico and Coates at OWASP.

However, there are several common design areas to focus on that apply to both web and cloud applications. This includes gathering business requirements; development and testing; access, authentication and data protection; configuration and zoning; visibility; and maintenance and continuity.

Next: Development

Copyright © SC Magazine, US edition


Code surety: Secure by design
 
 
 
Top Stories
Slow progress in Turnbullistan
[Blog post] How has the NBN moved ahead since regime change?
 
Hacks and frauds can't dampen Bitcoin buzz
[Blog post] Enthusiasts meet in Melbourne.
 
Qantas checks in with cloud computing
Impressed with results of public cloud bake-off.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  23%
 
Application integration concerns
  3%
 
Security and compliance concerns
  31%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  24%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 545

Vote