That’s an easy question to ask, but a very difficult one to answer.  I’m going to write two articles on this topic.  This, the first one, is about specifying what security we want in an application.  The second will be about assuring the security of an application.

An application is secure if it is resistant to attack.  All forms of interaction with an application can potentially be attacks, if the application does not handle them correctly.

Applications interact in many ways, not all of them obvious:

  • End users use the application for its business purpose.
  • Privileged application users perform special operations such as user management.
  • Applications, and application components, interact together.
  • Infrastructure supports and separates applications (we hope).  Modern infrastructures partition and host applications in complex and unpredictable ways, and will share server, network and storage resources with multiple tenants.
  • Data from the application can travel widely – for instance,  to backup solutions or data warehouses.

To impose order on this chaos, you need to secure the application’s interactions.  You will need to think about the following:

  • Both sides of the application, and its internal components, need to authenticate each other.  Humans, and legacy applications, have different authentication capabilities from modern applications.  Phishing attacks, for instance, work because humans are poor at authenticating applications.
  • The traffic between the two sides must be protected from tampering (always) and eavesdropping (sometimes).  When I say ‘sometimes’, I mean that sensitive data, and authentication secrets like passwords, need protection for confidentiality.  Over networks this is generally achieved using cryptography, for instance web servers usually support the TLS protocol for this purpose.
  • Applications need to be able to handle unexpected input without behaving unpredictably.  SQL injection attacks, for instance, work by passing data to an application in an unexpected format to confuse it.
  • Most real-world protocols are built up from a stack of different layers that serve different purposes.  The application, in its environment, must handle each layer correctly and send messages to components that can cope with them.

The Open Web Application Security Project (OWASP) has many useful resources for application security, including the OWASP top 10 web application security risks report, and the Open Software Assurance Maturity Model (OpenSAMM).

Application security can’t be bought in a box.  It requires careful acquisition and development of software, and paying attention to security when configuring and installing software, as well as deploying infrastructure and application security mechanisms.

None of this can easily bolted on after the fact.  Capgemini recommend performing a detailed security risk analysis early on in the development of a new application, to ensure security is built in (and budgeted for) from the start.