The Year 2017 was the year of globally impacting attacks like WannaCry and Petya and high profile data breaches like Equifax , Uber , Yahoo where millions of user accounts were stolen by the attackers.
Equifax, one of the three largest credit agencies in the U.S., suffered a breach that may affect 143 million consumers. Hackers were able to access personal data of 143 million Equifax customers—including Social Security numbers and driver’s license numbers. This is one of the worst breaches ever. With help from Mandiant a professional cybersecurity firm, Equifax was able to determine a series of breaches had occurred from May 13 through July 30 hackers were able to exploit a weak point in website software.
As per the CNN tech news, the tool is called Apache Struts, and it’s used by many large businesses and government organizations. Equifax used it to support its online dispute portal — where Equifax (EFX) customers go to log issues with their credit reports. The flaw allowed hackers to take control of a website.
This steers the entire conversation of end to end application security. In this article, we will explore, what is the end to end application security and what needs to be done to stay protected.
“Making web applications safe is in the best interest of all organizations and the general economy. Providing a clearly defined set of web application security best practices will advance security professionals’ ability to anticipate and rapidly address potential threats to their enterprise.” -Yuval Ben-Itzhak, CTO and Co-Founder KaVaDo
What is Secure Application – What Needs to Be Protected?
As per Microsoft, the secure application is “A hack-resilient application, one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host (server) in a secure network and is developed using secure design and development guidelines.”
In simple word, Application security is dependent on many factors, that includes Secure Software Development Life Cycle (SDLC), Secure hosting environment – servers / VMs, Operating systems, databases, network connectivity, access controls, and process controls like patching, backup, etc.
For any digital organization protecting data is important not only form the competitive advantage point of view but also form the regulatory compliance requirements point of view, e.g. GDPR. Applications are means of generating, collecting, processing and storing data. To protect the data it is important to secure the application.
End to End Application Security
The Application security starts from the application design phase and goes on till the application is decommissioned and data is destroyed in a secure way. Following diagram provides the six phases that are part of the end to end application security.
- Threat Modeling and Secure Software Development Life Cycle (S-SDLC) – The Application security should be part of the design phase. During the design phase, it is important to perform threat modeling considering factors like business requirements, applicable regulatory compliances, data privacy applicability, hosting ( in-house DC, cloud – Public /Private), access requirements (connectivity, type of access, devices) and operations connectivity requirements. Depending on the information data of captured requirements and threats identified, security controls need to be incorporated in application architecture. Microsoft has provided very good information about the Secure SDLC, this site provides the step by step information on what needs to be done to make sure that sure that security is part of the entire lifecycle.
- Physical Security of Hosting facility – It is equally important to make sure that facility in which the application is hosted has proper security controls like facility, access control, all the entry and exit points are monitored using the CCTV camera, and inside the data center there are controls to monitor HVAC (Humidity, Voltage, and Air Conditioning). Physical access to racks networking bay is again monitored by CCTV cameras and motion detectors etc. Here you will find more inputs on Data Center Physical security. Also, refer this check list for validating the physical security requirements.
- Logical Security – Security the IT infrastructure – The operating systems, databases, security and network infrastructure should be hardened to make sure only required ports and services are allowed. The VPNs are configured to separate internet, intranet, Production development and testing environment. When dealing with compliances like PCI-DSS extra care should be taken to create separate zone for payment card processing applications and all related infrastructure.
- Compliance to Policies (Regulatory requirements & organization specific) – While designing the application as well as implementing and configuring the IT infrastructure , network and security controls make sure that organizations security policies are implemented e.g. Access Control policies – who will have what level of access . Processes are defined to execute these polices, e.g. Patch management policy or change control policy.
- Secure Operations – The threats are very dynamic and hence conducting the vulnerability assessment and penetration testing is important to identify weakness in the application and hosting infrastructure. Once the vulnerabilities are identified assign the mitigation priority as per the risk scope relevant to your environment. Collecting and analyzing the logs generated in your environment to identify anomalies is another important activity to detect the attacks is early stage. Also monitoring performance, resource utilization and availability of services will help to make sure that application is available for the end users.
- Secure Retiring process – Retiring or decommissioning application should not be evaluated for the ROI perspective but also should be evaluated from the requirement of the data from the regulatory compliance point of view. Before retiring application make sure that the data can be migrated to the new application in a forensically accepted ways. The old data and application then should be decommissioned in a way that data cannot be retrieved from the hard disk and storage media. Read here more about application retirement best practices.
The above six steps will help to improve the security posture of your application , you still need to be watchful to identify the early signs of attacks and take action to reduce the impact of security incident.
In this digital transformation era, businesses and government agencies are heavily dependent on the applications to achieve the goals. The applications generate, process and stores the data which may be business critical contains personal identifiable and confidential information which regulators are mandating to protect, hackers attackers can exploit the application vulnerabilities to get hold of the data. Hence application security becomes at most important and cannot be looked into the isolation. The application security starts from the design phase and ends when the application is decommissioned and data is destroyed in secure way.