Application Security (APS)

There is a growing realization that applications are providing low-cost opportunities to an attacker for gaining access to valuable information assets or disrupt business services. As organizations are getting better at securing their networks, desktops and server infrastructure, there has been a shift in attacks to the application level. This has been affirmed by growing number of application level attacks in recent years. Protecting applications against attacks simply by defending the perimeter with firewalls and network traffic encryption has proven to be insufficient. To address the risks at application layer, several technology and tactical measures have emerged recently that have helped the evolution of ‘application security’ as an important discipline in itself. DSCI sees ‘application security’ as a critical means to achieve security of data and ensure privacy of personal information. This section illustrates DSCI’s approach towards Application Security (APS), and provides a set of practices that will help in achieving high level of assurance over application security initiatives of an organization.

Application Security (APS) is inviting increased attention of professionals and technology solution providers. The expanding threat landscape at the application level and the challenge to address it are driving security priorities of organizations, forcing them to initiate programs for security of their applications. The professional experiences and learnings gained to address these challenges along with technical solutions emerging in this area are helping to establish APS as an important function of enterprise security. Tactical measures, being adopted by organizations for application security, are contributing towards the maturity of concepts in application security.

DSF pays great deal of attention to application security; application being near the data layer, is the most critical layer in providing assurance over security of data. DSCI BEST PRACTICES reflect contemporary understanding of application security concepts, technology trends evolving around application security and tactical measures that are being adopted for effective management of security at the application layer.

  • Ensure that enterprise level portfolio of applications is maintained and there exists a clear understanding of the criticality of each application to business
  • Ensure that Lines of Business (LOBs) are involved in the application security initiatives
  • Create a catalog of all compliance requirements and develop a map of in scope application
  • Ensure that significant visibility exists over application exposure to the security threats
  • Assign security ratings to all applications based on their exposure
  • Ensure that defense strategies against the perennial and evolving security threats at the application layer
  • Develop a strategic roadmap for adoption of application security technologies and tools
  • Ensure that the application security program coverage is extended to legacy applications, custom code, communication & integration APIs and packaged enterprise applications like ERP & CRM
  • Protection at the Application Layer
    • Ensure that complete visibility exists over the current level of protection against applicable threats
    • Ensure that protection measures are near to real risk organization faces and proportional to the risk value
    • Ensure that strategy is in place for augmentation of protection capabilities for improving the level of protection and addressing emerging threats
    • Ensure proper integration of security capabilities being acquired through a direct product purchase or a project to build that capability
    • Ensure that application security specific capabilities are integrated with incident management mechanism to provide assurance that incidents at application layers are duly addressed and managed
  • Application Security Information Management
    • Ensure that a mechanism exists to manage the application security specific information
    • Ensure that the information, gathered from the application security function, is managed in a way that it provides critical intelligence inputs to the application security function and compliance initiatives
    • Ensure that significant efforts are dedicated to establish a common understanding of application security concepts and updating them as per technology and market trends
  • Application Security Function
    • Ensure that dedicated function exists to oversee end-to-end activities of application security
    • Define roles and responsibilities of application security function
    • Define application specific responsibility of associated functions like application development, application support, infrastructure management and LOBs
    • Application security function should be accountable for defining and enforcing enterprise level standards and guidelines for application security
    • Ensure that significant resources and efforts are dedicated to application security architecture planning
    • Ensure that significant levels of collaboration exists between different functions
  • Security in SDLC Process
    • Ensure that security is considered at different stages of application development and deployment
    • Prepare a catalog of all elements of Application Lifecycle Management (ALM)
    • Develop technical and process design for integration of security in different stages of the application life cycle process
    • Ensure that enterprise wide standards and guidelines are defined and enforced in development, testing, deployment and operational stages of the application
    • Ensure that the application development team is trained in application security concepts and practices such as secure coding, threat modeling and security testing
    • Ensure that necessary tools, techniques and services are in place for effective integration of security with SDLC
    • Ensure that security of packaged applications like ERP and CRM is ensured in the SDLC process through an effective patch management and routine testing
    • Ensure that metrics are established to monitor the performance of application vulnerability management operations throughout the life cycle process.
  • Security Testing
    • Define application security testing requirements
    • Ensure that test management processes are properly documented and implemented
    • Define a catalog of application security testing services
    • Ensure that sufficient resources and skills are available to perform application security services and tasks
    • Ensure that application security testing is agile enough in responding to emerging threats and incorporates testing for new identified vulnerabilities
    • Ensure that necessary security testing tools and techniques are available to perform application security testing
    • Ensure that test results are managed effectively
  • Comprehensiveness and accuracy of coverage of application security program
  • Visibility over application security activities
  • Adequacy of protection
  • Intelligence over application security information
  • Architectural treatment to application security
  • Alignment with overall security strategy
  • Integration with SDLC processes
  • Tools & technology direction
  • Involvement of ADM function
  • Adequacy of resources and skills
  • Responsiveness to threats
  • Compliance demonstration

Please allow pop-up in your internet browser to download DSF

DSCI Security Framework