What could developers and architects do to address application security from a programming standpoint?
Developers should use a sound plan that will address authentication of a group and users using the security provider whether it is LDAP, identity management, or some other provider. It is also important to transmit sensitive data using SSL. Developers can easily encrypt transactions using https instead of sending plain text over http. It is also important for system architects to get involved and secure applications at every level possible from the database to the OS and application server and on the network. What are some of the latest vulnerabilities often found in enterprise applications?
Network security is a hole that is found in many enterprises that goes unaddressed. Sophisticated hackers may be a threat, however anyone with a laptop can sit down outside of a building with a wireless network and access the network directly. I recently turned my laptop on outside of a city hall and noticed that I had internet access and was connected to a network from somewhere nearby. If I were on the network, I would have they keys to the store.
Aside from network security, it is important to secure your applications from inside as well. The operating system and databases should be kept current with security alerts and patches. Also, the middle tier of any application will have patches that address security threats. J2EE engines and web servers are newer generation security holes that allow access to data using markup languages. It is important to keep the application tier patched with all security updates. SAP's J2EE engine is an example of this type of hacker target. SAP's exchange infrastructure may also transmit sensitive data using markup language that should be encrypted with SSL/https whenever possible.
The largest security threat is now coming for personnel that are not properly trained in the call center or help desk. In large companies, it is possible to get an employees name and some information. Then a hacker will get on the telephone and call the help desk or call center. They can be sly and impersonate an employee that needs a reset password. The help desk employee then resets the password, provides the hacker access and sends them on their way. Who should be involved in developing a sound application security plan? What is involved in developing that plan?
It is important to involve all pieces of the puzzle. The main components of the application from end to end involve the server or servers that will host the application and the network that will transport the data between the database and application servers. The application servers should then go through some form of protection like a proxy server that acts as a pass through for data. This proxy layer does not sit within your network, however it is in the demilitarized zone and is protected at the firewall to prevent intrusion. We hear so much about database vulnerabilities. Does security start at the database?
Security of the database is definitely one of the most sensitive areas. The database may contain all information that the application will access. This data may include social security numbers, names and addresses, financial transactions and personal medical information. Database vendors will distribute patches that address vulnerabilities of their product, however it is always important to have a secure network that locks down threats of intrusion. When should a company consider using a third party security vendor or consultant?
This is depending on the company's primary business. If a company is an auto manufacturer with a small in-house IT shop, then hiring a third party to handle this responsibility is often an easier path than training security methods. This also ensures that you have a security specialist rather than a newbie in a position without the proper experience to fit the credentials.
In corporations with a large and experienced IT staff, it is important to have some method of checks and balances. Several third party security companies provide services where they can have their expert hackers attempt to violate your systems' integrity. They will then provide a report with your vulnerable areas and lock down methods you should use to remedy your problems and secure your data. Explain how a company should address its software patch cycle?
Every situation is unique. In general software patching is usually done either on an individual basis to fix a specific problem. Many of these fixes are then bundled by the software vendor in a package. SAP specifically uses support packages for the application and kernel patches for the application at the OS level. There are then database patches and OS patches that are packaged in the same manner. This is also a benefit of third party security specialist that was mentioned earlier. They will provide industry trends that pertain specifically to the software you are using. Are there trends with patching and upgrades that companies should be watching?
Again, every company is unique so there is not one solution for patching. Most vendors provide automatic notification of patches that are released to fix issues in areas such as security. It is crucial that the administrator stay current with these notifications and proactive in evaluating and applying them when needed.