Code surety: Secure by design

Powered by SC Magazine
 
Page 1 of 4 | Single page

Total security of applications is probably a pipe dream. However, starting a secure design framework today will markedly improve applications in the future, reports Deb Radcliff.

Applications are anything but static. They may start out with one set of functions, then elements are added on and merged with other applications. As they grow more complex, their vulnerability density increases – a particular problem for applications hosted on the web and migrating to the cloud.

“Web applications are the top attack target because they're so difficult to protect,” says Jim Manico, volunteer connections committee chair for the Open Web Application Security Project (OWASP), and VP of security architecture for WhiteHat Security. “Today, cloud deployment is all web driven, meaning cloud and web application vulnerabilities are on a direct collision course.”

Developing a “secure by design” framework for these technologies is challenging enough, says Michael Coates, volunteer OWASP chair and director of security assurance for Mozilla. Once developing organizations get their new applications under a trusted framework, the next hurdle is maintaining a safeguard posture as those applications change over time and move into the cloud.

Already struggling to ensure their web applications are protected, the majority of security and compliance professionals believe the current trend of deploying to the cloud invites further vilnerabilities, according to a 2011 data security in the cloud survey of 1,000 security and compliance by the Ponemon Institute and encryption vendor Vormetric. In the survey, less than 40 percent of respondents trust their own technologies to secure their sensitive data in the cloud – and less than one-third encrypt their sensitive data in the cloud.

Further, encryption is a cornerstone design point that should be considered in applications with sensitive data, yet it is one of the most difficult processes to achieve in the cloud, say experts.

What other elements are needed in a secure design plan? It depends on who you ask, what vertical industry they are in, what type of cloud or web services they're designing, and so much more, say Manico and Coates at OWASP.

However, there are several common design areas to focus on that apply to both web and cloud applications. This includes gathering business requirements; development and testing; access, authentication and data protection; configuration and zoning; visibility; and maintenance and continuity.

Next: Development

Copyright © SC Magazine, US edition


Code surety: Secure by design
 
 
 
Top Stories
Microsoft confirms Australian Azure launch
Available from next week.
 
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  27%
TOTAL VOTES: 257

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  62%
 
No
  38%
TOTAL VOTES: 82

Vote