A Program in a Program in a Program

2 May 2015

In the past weeks I did a lot security assessments for complex applications. I always use the Socratic Method – i.e. dialogues in small groups with subject matter experts (SME) and support from infrastructure specialists where required. No rocket science! The only but important thing new is, that we look at the applications from the malicious insider’s view.

And, for sure we do a 360-degree assessment which includes

  • People, Processes, Technology,
  • Servers, Middleware, Databases,
  • Interfaces to other Applications and to Infrastructure systems.

Our talks were very fruitful. And it was amazing to see, how fast people have become familiar to the malicious insider’s view.

When it comes to secure operation of databases lots of experts from various disciplines are involved because the database is a complex application for itself. Hardening of a database without hardening the underlying operating system, the application and the middleware makes no sense. Security standards have to be defined and implemented for servers, databases and application components to achieve a good overall security level. Moreover security standards must undergo continuous development because the threat situation is fast developing.

Thus an application security program comprises nested programs for the building blocks of applications.

For each building block security baselines have to be defined in interdisciplinary teams.

In addition a team of innovators is required for continuous development of the baselines.

And a knowledge management team to make sure that all teams share their knowledge of threats, lessons learned from major data breaches and mitigation best practice.

In particular knowledge management is the one of the weak points of many security programs…

Have a good weekend!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s