Carney: How to Create an Effective Application Security Program

Before rolling out a corporate application security program, consider these elements a part of your strategy.

By Mark Carney, Fishnet

October 15, 2007CSO

by Mark Carney, Fishnet Security

The arena of application security continues to top CSOs list of challenges.  Most organizations still seem to be taking a tactical approach to securing applications within their enterprises.  A very common path organizations take in protecting applications is by acquiring an application-layer scanning tool or an application firewall.  This tactical approach has driven the focus on application vendor tools and solutions, as well as a concentration on technical application vulnerabilities (i.e. SQL injection and XSS) and attack vectors through organizations such as Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC).  Although, OWASP and WASC are excellent resources for the application security community and application security tools/solutions are essential and maturing, a more strategic approach is necessary in building a holistic application security program. 

Over the course of six months, a comprehensive list of application security program "elements" have been collected through the process of interviewing numerous CSOs and application developers, and soliciting feedback from over 125 security professionals.  Before rolling out a corporate application security program, consider these elements a part of your strategy.

Elements of the Application Security Initiative

* Application & Information Inventory
* Meeting and Maintaining Compliance Requirements
* Developing Internal Application Security Standards
* Establishing Initiative Sponsor & Owners
* Internal IT Audit Function
* Defining Methods of Application Security Due Diligence
* Performing Due Diligence on Affiliates/Business Partner Applications
* Outsourcing vs. Insourcing
* Prioritization of Applications & Frequency of Testing
* Training & Staffing Requirements
* Application Solutions & Tools
* Automated vs. Manual Review Process
* Remediation Procedures
* Reporting & Documentation


Application & Information Inventory
The starting block of an Application Security initiative is to complete an inventory of all applications within the enterprise.  Compile a spreadsheet of the number of applications, type of applications, middle-tier software, and database technologies that exist within all facets and business units of the organization.  By understanding the business purposes and information/data that is flowing through these applications, you can start developing protection strategies and standards that will secure your organization’s most critical data.

Meeting and Maintaining Compliance Requirements
As a CSO, one of the first steps in developing an application security program is to understand your organization’s responsibility in meeting application related standards or compliance requirements.  Recently, the Payment Card Industry (PCI) Data Security Standard (DSS) version 1.1, specifically states two significant application focus requirements.  The DSS requirement 11.3.2, states companies must conduct annual "application-layer penetration tests" and requirement 6.6 states that organizations need to "ensure all web-facing applications are protected against know attacks" by either "installing an application layer firewall" or "having all custom application code reviewed for common vulnerabilities" by June 30, 2008.  These types of application security related requirements must be identified as you begin to develop your application security program.

RESOURCE CENTER