Securing Your Software Applications ........................................................
Applications are software that is designed to perform some meaningful func-
tion. For a company, application software could be any one of the enterprise
systems such as enterprise resource planning, supply chain management, or
customer relationship management, or the databases that maintain informa-
tion on everything from products to customers to the financial transactions
of the company.
Therefore, application security directly relates to making sure those assets
perform properly and are not vulnerable to attack by hackers or misused
internally by employees.
Generally, application security has been widely recognized as a good thing
that everybody must have, but it has also commonly been interpreted as
solely the province of the IT department. With the passage of SOX (yes, we
know, more about SOX), CEOs and directors are more accountable than ever
for what goes on under the hood of their companies, so ignoring application
security comes with a significant set of perils. Simply put, IT may run and
manage this function, but the CEO needs to understand what they are doing
and how they are doing it.
Taking basic application security measures...................................
The tools of application security are the same kinds of controls used in nearly
every other aspect of GRC: software, hardware, and guidelines establishing
set policies and procedures for employees to follow. Further, because of the
recognized risk of being hacked, application developers are building security
measures into their software, and application security should be an evalua-
tion point for software purchases.
Some of the most basic and elemental application security measures are
items that have reached a high degree of ubiquity throughout society, such
as firewalls, anti-virus software, and anti-spyware software. Routers can also
get into the act by making sure that internal IP addresses can be hidden and
ensuring that packets with internal IP addresses do not come into the firewall
from the outside (an attack technique called IP spoofing). Other measures
can include encryption of information as it travels from one point to another
or biometric authentication tools that ensure the user is certified to access
certain data or use a particular piece of hardware.
Application security can be enhanced through a practice known as threat
modeling, which can include a wide range of possible scenarios such as a
failure of the application to operate properly, a malicious action taken by an
272 Part IV: Managing the Flow of Information
