Application security in large enterprises

Application Security In Large Enterprises

2013 [Application Security In Large Enterprises] Application security in large enterprises is so very important, here is the discussion of how can we do that. Follow the simple guidelines to make sure that your application is secure.

Application Security:

The Web applications are the important part of your business every day, they help you handle your intellectual property, increase your sales, and keep the trust of your customers. But there's the problem that applications re fast becoming the preferred attack vector of hackers. For this you really need something that makes your application secure.

And, with the persistent condition of today's attacks, applications can easily be get infected when security is not considered and scoped into each phase of the software development life cycle, from design to development to testing and ongoing maintenance of the application. When you take a holistic approach to your application security, you actually enhance your ability to produce and manage stable, secure applications. Applications need training and testing from the leading team of ethical hackers, for this there should be an authentic plan to recover these issues that can help an organization to plan, test, build and run applications smartly and safely.

Application Security in Large Enterprises:

Large enterprises of a thousand people or even more have distinctly different information security architectures than many other smaller companies. Actually, they treat their information security as if they were still small companies.

We are going to discuss some attempts to demonstrate that not only do large companies have an entire ecology of specialized software, specific to large companies and their needs, but that this software has different security implications than consumer or small business software for the applications. Recognizing these differences, and examining the way this can be taken advantage of by an attacker, is the key to both attacking and defending a large enterprise. It’s really important to cover up the security procedures in the large enterprise.

“AppScan helped us create a self-service model. We could take the product and put it in the hands of the developers and QA testers so that they could identify and fix security vulnerabilities before production.” —SujataRamamoorthy, Director, Information Security, Cisco

Make your Application Secure:

1. Guard against malware input

If the queries inside your code execute directly against the user input, the user can provide malicious input which can do nasty things with your database. Passing things like User ID through URLs may make your life easier related to the applications. However keep in mind the rules if a user puts in the admin ID instead of own and proceeds using the system. Always elaborate the user input to verify that it’s within the boundary conditions and is void of any special characters which you can’t process. If your system involves any HTML upload from user make sure that it does not contain any scripts. The best way is to strip any SCRIPT blocks from such input. Put a limit on your server on how fast and how many requests it can accept from one client. This guard against DOS attacks wherein a particular client repetitively requests your server until it is resource starved and eventually ruined.

2. Secure access to application

The access to each page of your application should be authenticated. Let’s say a user should not be able to just specify a URL and access a page directly. You can choose from various authentication mechanisms like Windows authentication, Active directory or any Digital Certificates to go for further.

3. Encryption of sensitive data

Most people use XML files, registry entries or plain old text files to store configuration related info. It should actually be kept in mind that the CONFIG data is easily accessible to prying eyes. If you are storing database username passwords or any such sensitive data in these files or the registry, please encrypt it because it’s really necessary in sensitive data.

4. Security of the cache storage

The cache and final data storage files that your app might be generating must be stored inside folders which have appropriate access rights. For example you can make the folder accessible only to the administrator of the Pc and run your app with the administrator account so that it can access the folder but nobody else except the admin can even open it.

5. Data on wire

For web based systems HTTPS can ensure that the data being transmitted to the client is encrypted so that someone can’t just infect your packets and get access to the data. All web based systems now a days are using URLs to pass application flags, IDs and sometimes small data like user name. Avoid using any such human readable data in the URL. Encrypt the URL so that a user can’t just change a parameter in the URL and gets his hand on someone else’s data.

6. Strong password policy

Your app should enforce the following password policies; there are chances of a smart user looking into his boss' private data:

· Passwords should be strong, at least 6 characters long and alphanumeric.

· Restrict failed password attempts to 3 to 5.

· Make sure users change their passwords periodically as they get expire.

· Don’t give the hacker a clue to give an error message like ‘Invalid credentials’. Don’t hint whether the username or the password was wrong.

7. Map user session

After your application session expires after a user logs out, make sure to clean the cookies too and vice versa.

8. Limit the processing

If your app has procedure like search where the number of results can actually be very large, it is a good practice to guard your server with some kind of upper limit. For example you can limit your searches to return only 50 items from the result set at a time. This will save your server down for a single user.

9. Auditing and logging

Actually this is obvious but often not that carefully done. Do audit all the security related operations of your applications and provide basic reports for the administrator. This will help find out the mischief early. In case of infected entries, this will enable to resolve the issue faster.

10. Beware of buffer overruns

If you are not working in a well-managed environment like .NET or Java, you might run into buffer overruns. This happens when you write beyond your set boundaries or to an illegitimate memory location. This may cause corruption of the data in your process memory which can either result in a crash or security vulnerability.

Conclusion:

If you follow the guidelines of security purposes and thegood coding practices, your application is fairly straightforward secured. Depending upon the type of your application you can fine tune what all you need to do related to security purpose.

References:

Mike Arpaia, (2012). Code as Craft http://codeascraft.com/2013/06/04/leveraging-big-data-to-create-more-secure-web-applications/

Paylod, (2013). APPLICATION SECURITY http://www.f5.com/it-management/solutions/application-security/overview/

John H. Sawyer, (2013). How Enterprises Can Use Big Data To Improve Security http://www.darkreading.com/management/how-enterprises-can-use-big-data-to-impr/240157674

Ask SujataRamamoorthy, (2011). Scaling application vulnerability management across a large enterprise http://public.dhe.ibm.com/common/ssi/ecm/en/wgc12349usen/WGC12349USEN.PDF