Layer lockdown

Application security is a serious business - and a significant task for enterprises. In the second appsec feature, NME looks at some of the critical aspects around ensuring the whole application layer is secure.

  • E-Mail
By  Administrator Published  April 1, 2007

The application layer - not the traditional abode of many network professionals. Database administrators and other software specialists are the normal inhabitants of this realm within the IT infrastructure - but at what potential cost?

Last month NME focused on the issues around patching individual applications (or not, as the case may be), as well as preventing any intruders getting past the network security systems.

But this is only half the problem - beyond making sure any individual apps are as up-to-date as possible, and screened behind access control systems and firewalls on the network, comes the management of the application layer overall.

Many large organisations put all their weight behind creating a robust and secure network, but fail to address even the most basic elements of application security, according to Abdul Karim Riyaz, regional director for storage and protection for CA's EMEA eastern markets.

"Some of the common mistakes we see are deploying applications and underlying databases with the default passwords in place - I know it's probably one of the easiest and simplest things to look at, but we've seen even large corporations running their systems on default passwords," says Riyaz. "As a hacker, all I'd need to do is get into the network, then with the default user name and password I'm inside the system."

Riyaz's answer to how to tackle this problem is fairly straight-forward: "It comes back to asking the question - have organisations done a complete security audit? It's not an exercise where they need to reinvent the wheel - there are standard procedures for each application and operating system, to look at the baseline security for each platform.

"All organisations have to do is compare the security they've deployed on each application, each operating system, each server, each layer - compare it to the baseline and ensure that at least they have achieved the baseline," he explains.

One of the key questions is where should responsibility lie on this issue - with application vendors who make it easy to leave default passwords and the like, or with the organisations which deploy the applications? Riyaz believes that although both parties are responsible, ultimately the onus comes down to the end user organisation - it needs to take responsibility for its own apps.

This issue is further complicated for enterprises which have older application foundations, with specific apps that may not be able to cope with some of the more recent security requirements. At the most extreme end, it may come down to a choice of dumping the software, or leaving a potential security hole in the application layer.

Elsewhere in the world, especially the US, these decisions are to a large extent being taken out of companies' hands - compliance legislation such as the Sarbanes-Oxley Act (Sox) mandate rigorous auditing processes of internal controls and reporting mechanisms. Suddenly insecure applications may be criminal, not just problematic.

As yet, such stringent compliance legislation has not affected the majority of the Middle East, with the exception of divisions of global companies operating here. But there are moves towards corporate compliance, with bodies such as Hawkamah in the UAE pushing this agenda.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code