An application is secure if it is resistant to attack. All forms of interaction with an application can potentially be attacks, if the application does not handle them correctly.
Applications interact in many ways, not all of them obvious:
- End users use the application for its business purpose.
- Privileged application users perform special operations such as user management.
- Applications, and application components, interact together.
- Infrastructure supports and separates applications (we hope). Modern infrastructures partition and host applications in complex and unpredictable ways, and will share server, network and storage resources with multiple tenants.
- Data from the application can travel widely – for instance, to backup solutions or data warehouses.
- Both sides of the application, and its internal components, need to authenticate each other. Humans, and legacy applications, have different authentication capabilities from modern applications. Phishing attacks, for instance, work because humans are poor at authenticating applications.
- The traffic between the two sides must be protected from tampering (always) and eavesdropping (sometimes). When I say ‘sometimes’, I mean that sensitive data, and authentication secrets like passwords, need protection for confidentiality. Over networks this is generally achieved using cryptography, for instance web servers usually support the TLS protocol for this purpose.
- Applications need to be able to handle unexpected input without behaving unpredictably. SQL injection attacks, for instance, work by passing data to an application in an unexpected format to confuse it.
- Most real-world protocols are built up from a stack of different layers that serve different purposes. The application, in its environment, must handle each layer correctly and send messages to components that can cope with them.
Application security can’t be bought in a box. It requires careful acquisition and development of software, and paying attention to security when configuring and installing software, as well as deploying infrastructure and application security mechanisms.
None of this can easily bolted on after the fact. Capgemini recommend performing a detailed security risk analysis early on in the development of a new application, to ensure security is built in (and budgeted for) from the start.