latest intelligence
C
M
Y
CM
MY
CY
array of applications that exist in the
enterprise ecosystem. This process
allows the security team to focus efforts
on the riskiest systems first.
In mature enterprises, application
security and penetration testing
programs exist to find vulnerabilities in
internally developed applications and the
complex interactions between systems
(Scarfone et al., 2008). Both programs
should be integrated with the Secure
Development Lifecycle (SDL) to prevent
vulnerabilities in internally developed
applications from reaching the end users
(Conklin & Shoemaker, 2014). This paper covers some of the
shortcomings with current prioritisation
methods and proposes an alternative
scheme to overcome these limitations.
Application security is a key part of
a ‘defence in depth’ strategy. This
control is often only considered for
internally developed software, but
attackers look for vulnerabilities in all
systems (McGraw, 2006). While this is
true for several of the measures in the
application software security control,
this control is more extensive than basic
testing of in-house created applications.
Even commercial and third-party
developed systems still warrant some
steps of this process. Performing
in-depth security assessments of all
systems in an enterprise is, unfortunately,
a long and costly undertaking (Scarfone
et al., 2008). During this lengthy process,
it is possible that some systems that The Critical Security Controls (CSC)
advise that vendors must support all
software, all systems must be behind
a protocol-aware firewall, system
owners must maintain a development
environment that is separate
from production and harden all
database servers. u
Introduction
PRESENTED BY
DOWNLOAD WHITEPAPERS AT:
WWW.INTEL LIGENTCISO.COM/
WHITEPAPERS
16
security testers will not test applications
in an order commensurate with the risk
to an organisation.
Issue 03
|
www.intelligentciso.com
CMY
K