Defence in depth is key to application-level security

Making the decision to part-exchange the two-door sports car and purchase something more practical is often determined by two factors. We need a car that...

Making the decision to part-exchange the two-door sports car and purchase something more practical is often determined by two factors. We need a car that can accommodate the pram, and we need something 'safer'. The first requirement is easily tested, while the second requirement is satisfied with the European New Car Assessment Programme (Euro NCAP). The programme publishes safety reports on new cars, and awards 'star ratings' based on their performance in a series of crash tests, writes Raj Samani, vice-president of communications at ISSA UK.

Having objective safety information is critical to the selection of a product that demands security for its users. For IT managers, such critical information for deciding which application is best for running the payroll is likely based on vendor assurances.

There have been rumours of a kite mark for software, and notably for their security. Although a useful idea, one has to question rubber-stamping quality, when we all know that software vulnerabilities are identified in products that marketing departments class as "100% hacker-proof", or words to that effect.

So in the absence of an objective standard to measure the security of your next purchase, what options exist?

For most organisations, adhering to the old security mantra of defence in depth is likely to reduce the impact of any future vulnerabilities. In addition, applying security patches in a timely fashion, and regularly performing security testing.

For added assurance, and wherever possible, engaging a security testing organisation to review the code of the application is well worth the money. If this is not possible, then look to use software that has gone through added testing for use within central government or carry out a code peer review within your development community and look to OWASP and Sans to ensure the "Top 20" vulnerabilities have been addressed.

Whichever methods are used to test the application, it is important to remember to regularly test the security. Because no matter how safe you think you are, there is always something or someone out there capable of proving you wrong.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close