Application Security Opportunities and Insights

Experts Offer Advice on Where Institutions Can Beef Up Efforts and be Compliant A recent Comptroller of the Currency (OCC) guidance emphasizes the need for stronger application security within financial institutions and their third-party service providers to maintain integrity of data, mitigate true risks and avoid being prime targets for criminal activities. We queried two information security and application security experts, who offered their perspectives on why application security plays such an important part in a financial institution's overall security program.

Focus of Application Security
"Organizations need to build security into their applications by adopting security best practices to be considered and incorporated at every stage of the application development life cycle and by ensuring that security is defined as a requirement in the process," says Jennifer Bayuk, a senior information security management consultant and prior CISO at Bear Stearns & Co., Inc based in Whippany, New Jersey. For applications that have not gone through the security life cycle process, Bayuk suggests reviewing source codes and scanning all components of the web server individually for identifying known vulnerabilities. The bottom line is - "learn to protect your applications" says Bayuk.

Additionally, Bayuk points out:

Gaps are found usually in unanticipated uses of software at the requirement stage. The application developers usually do not consider the perspective of what a motivated hacker or organized crime team will do, and miss out on requirements in terms of hardening the input to ensure that the user is controlled within the activity of the software application.
Another area where a gap exists is identification and authentication enrollment process. Key issues to be addressed are: How does a user sign up? What is the re-enrollment process in case a user forgets password. This process needs to be strong so that the users are not compromised.
Authorization is another area that needs attention to ensure proper access is allowed to resources that are permitted to use them. The authorization process needs to be robust and checked periodically for vulnerabilities and risks.

Sahba Kazerooni, a senior information security and application professional at Security Compass, an application security consulting company based in New Jersey, shares his insight on challenges seen and experienced:

Most application security professionals usually have a strong technical background in coding and fail to understand "true risk" within the perspective of security. Explaining and justifying the risk process and analysis gets challenging here. Training and educating the employees and team members working on application security on information security standards, guidelines is the best approach. They need to understand security and develop a mindset of a criminal and a hacker to foresee changes and recommend appropriate actions.
Logging and Monitoring - If your application is being attacked, how do you know? Intrusion detection system is there, but still remains quite immature for applications. Therefore, log files need to be organized and standardized throughout the enterprise.
Configuration Management- importance needs to be given to how the application is deployed to production. Are the cookies distributed securely? In case of a third-party vendor, organizations will need to ensure that they are following best security practices and are security aware.

For more on application security, please see this resource center

See also: 6 Tips for Application Security Practitioners

Around the Network