Application Security Opportunities and Insights
Experts Offer Advice on Where Institutions Can Beef Up Efforts and be Compliant
A recent Comptroller of the Currency (OCC) guidance emphasizes the need for stronger application security within financial institutions and their third-party service providers to maintain integrity of data, mitigate true risks and avoid being prime targets for criminal activities. We queried two information security and application security experts, who offered their perspectives on why application security plays such an important part in a financial institution's overall security program.
Focus of Application Security
"Organizations need to build security into their applications by adopting security best practices to be considered and incorporated at every stage of the application development life cycle and by ensuring that security is defined as a requirement in the process," says Jennifer Bayuk, a senior information security management consultant and prior CISO at Bear Stearns & Co., Inc based in Whippany, New Jersey. For applications that have not gone through the security life cycle process, Bayuk suggests reviewing source codes and scanning all components of the web server individually for identifying known vulnerabilities. The bottom line is - "learn to protect your applications" says Bayuk.
Additionally, Bayuk points out:
Gaps are found usually in unanticipated uses of software at the requirement stage. The application developers usually do not consider the perspective of what a motivated hacker or organized crime team will do, and miss out on requirements in terms of hardening the input to ensure that the user is controlled within the activity of the software application.
Another area where a gap exists is identification and authentication enrollment process. Key issues to be addressed are: How does a user sign up? What is the re-enrollment process in case a user forgets password. This process needs to be strong so that the users are not compromised.
Authorization is another area that needs attention to ensure proper access is allowed to resources that are permitted to use them. The authorization process needs to be robust and checked periodically for vulnerabilities and risks.
Sahba Kazerooni, a senior information security and application professional at Security Compass, an application security consulting company based in New Jersey, shares his insight on challenges seen and experienced: