Application Threat Assessment-the Security Backbone
Threats contribute to the tampering, destruction or complete interruption of services and functions that adversely affect productivity and seamless functioning of enterprise operations. It is vital to understand that today threats to each asset within any applications can be targeted by hackers. Thereby, conducting application security threat assessments (ASTA) with an objective to produce recommendations that safeguard confidentiality, integrity and availability, while maintaining functionality and usability, need to be considered important. On a serious note, creating a list of threat types and identifying how these can launch attacks on application and its components and in turn the business functions, emerge as the best approach.
The ASTA develops threat profiles for every component in an application, by analyzing the application’s end-to-end information regarding its architecture. From narrowing down on vulnerabilities in a given application to study the nature of threat; estimating the impacts and disruption those vulnerabilities can bring; and prioritizing the consequences to take relevant actions, ASTA manages wide variety of security measures. Assessing both categories namely unauthorized and authorized threats are important as both users share the same intent of sabotaging to disrupt routine operations or financial gain intentions.
The scenarios vary, where one threat exploit a vulnerability to infect multiple assets, and conversely, several types of threat exploiting different types of vulnerabilities to attack a single asset which might be critical or confidential. Therefore, the complexity of relationship between threats and assets are immense. So it is best to use simple representations of threat to asset mapping by categorizing threat types intended to attack each critical asset.
There is an array of processes and methodologies that can be engaged in this regard.
Threat modeling plays a vital role in successfully understanding the key threat agents, verifying architectural components, identifying vulnerable trust boundaries and checking for connection safety of applications and its network environment.
Reviewing Security Architecture:
Engaging a robust security architecture review can actively defend against cyber threats or take necessary action against vulnerability in an application. It also provides deep insights into the effectiveness of any organizations’ planned or implemented security controls, to facilitate tailored guidance toward improving security measures.
Security Code Review:
Any application is framed of millions of lines of codes. Thereby it is vital to implement security controls correctly. The codes need to be reviewed thoroughly before any application goes into production. Studies reveal that more than automated tools, manual code reviews significantly identify more serious authentication, access control, and encryption risks.
Penetration testing proves crucial in identifying exploitable vulnerabilities and testing any application’s environmental security controls like app firewalls. An efficient penetration testing provides ‘root cause’ identification and recommendations of issues and best practices specific to the characteristics of an application. Again, manual testing is more preferable as it provides customized and tailored recommendations for every application that is different and also the end-client’s needs.
Engaging automated software to scan application layer vulnerabilities can quickly identify default contents, errors and mis-configurations while reducing the time needed for assessing applications of larger sizes.
In a constantly evolving world as the security landscape, threat and risk assessment process is not the ultimatum in ending the war. No ASTA guarantees full coverage of security threats. It continuous to be a prolonged process which requires regular reviews and updates to ensure that the protection mechanisms that exist meet the required objectives and security needs. Enterprises should act wisely to conduct assessments to adequately address security requirements of the organization in terms of integrity, availability and confidentiality. Company managements should definitely make application threat assessments an integral part of their infrastructure’s overall life cycle. Failing to do so, they might leave themselves open to situations that could disrupt, damage or destroy their abilities to conduct business operations. Employees and employers of IT infrastructures and everyone else, who rely upon it for their business, must realize the importance of performing security assessments and join hands together for a secured business framework.
By Nancy S. Wolk, CIO, Alcoa - Global Business Services
By John Kamin, EVP and CIO, Old National Bancorp
By Gregg T. Martin, VP & CIO, Arnot Health
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Bryson Koehler, EVP & CIO, The Weather Company, an IBM...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Lowell Gilvin, Chief Process Officer, Jabil
By Dennis Hodges, CIO, Inteva Products
By Gerri Martin-Flickinger, CIO, Adobe Systems
By Walter Carvalho, VP& Corporate CIO, Carnival Corporation
By Mary Alice Annecharico, SVP & CIO, Henry Ford Health System
By Bernd Schlotter, President of Services, Unify
By Bob Fecteau, CIO, SAIC
By Kushagra Vaid, GM, Server Engineering, Microsoft
By Steve Beason, Enterprise CTO, Scientific Games
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Jim Whitehurst, CEO, Red Hat
By Alberto Ruocco, CIO, American Electric Power