1 / 12

Security At The Application Level

Security At The Application Level. Damon Hart-Davis Principal Consultant Code Red. the application level. What is ``Application Level’’?. Your application’s ability to resist accident and malice From use of passwords to survival of building fire Maintenance and upgrade needs thought too

flann
Download Presentation

Security At The Application Level

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security At The Application Level Damon Hart-Davis Principal Consultant Code Red Security from Head to Toe

  2. the application level What is ``Application Level’’? • Your application’s ability to resist accident and malice • From use of passwords to survival of building fire • Maintenance and upgrade needs thought too Q: Can your contractors edit your warehouse book and which of your competitors will they work for next? Security from Head to Toe

  3. the application level Is ``Application Level’’ Enough? No, we need to interlock with several other components: • Physical • Operating System • Border and interdepartmental • Legal • Operational Q: How much do you pay the person who handles all your backup tapes? Security from Head to Toe

  4. the application level A Typical Investment Banking System? • Position database is globally read-write • Back office uses comment field for complex trades • Quants and traders keep vital data in their desks • The CEO says: ``We want our high-net-worth individuals to update their portfolio over the Net.’’ Q: Do your insurers and auditors sleep well at night? Security from Head to Toe

  5. the application level The Risks and Costs? Systems often end up this way, so what do we need to address at the application level? • Operational risk, eg files being deleted • Malice, internal or external • Physical disaster: loss of access to vital data Q: Can you truthfully declare your system safe and robust on your annual returns? Security from Head to Toe

  6. the application level Don’t Panic! Wisdom from The Hitchhiker's Guide To The Galaxy. • Not all of your code/data needs to be equally secure • Analyse what needs to be secure and how much • Partition systems for ``need-to-know’’ Q: Could a programming slip in your JSP lose a trade? Security from Head to Toe

  7. the application level Secure Interactions • Some data can be safely accessed anonymously • Some access must be secure, eg over HTTPS • Some solutions are off-the-shelf and some will be roll-your-own Q: How do you originate outgoing HTTPS in code? Security from Head to Toe

  8. the application level Key Management Secure interactions imply key management. • You have to expect systems to get broken into • What if you are served with a RIP Section 49 notice? • What are the pros and cons of hardware keys? Q: What validity period should your keys have and where do you store keys and their backups? Security from Head to Toe

  9. the application level Tunnelling and Remote Access • CORBA/RMI/etc tunnels expose your entire system • Don’t be lazy; design, write and test narrow interfaces • Remote/home access has much the same effect Q: Are you thinking ``Need-to-know’’? Security from Head to Toe

  10. the application level Testing and Monitoring Any significant exposed app should be regularly tested: • For performance • For correct/safe response to all inputs Tests should be performed: • At the unit level • At integration and release • 24x7 with paging to ops in case of any failure Q: Do you monitor your system for success and failure? Security from Head to Toe

  11. the application level Maintenance: Barnacles that Sink the Ship? Discipline is vital when maintaining and upgrading. • Make sure that a design audit is done before release • Make sure security and other testing is done regularly • Don’t get lazy and ``open this up a bit’’ to save time Q: Do you do each release as carefully as the first? Security from Head to Toe

  12. the application level Summary • Application security is vital but not whole story • Don’t panic; focus technical and business time • Design your system to allow for failures, break-ins • Security at the application level is 24x7 Q: Are you thinking ``Head to Toe?’’ Security from Head to Toe

More Related