120 likes | 215 Views
Security At The Application Level. Damon Hart-Davis Principal Consultant Code Red. the application level. What is ``Application Level’’?. Your application’s ability to resist accident and malice From use of passwords to survival of building fire Maintenance and upgrade needs thought too
E N D
Security At The Application Level Damon Hart-Davis Principal Consultant Code Red Security from Head to Toe
the application level What is ``Application Level’’? • Your application’s ability to resist accident and malice • From use of passwords to survival of building fire • Maintenance and upgrade needs thought too Q: Can your contractors edit your warehouse book and which of your competitors will they work for next? Security from Head to Toe
the application level Is ``Application Level’’ Enough? No, we need to interlock with several other components: • Physical • Operating System • Border and interdepartmental • Legal • Operational Q: How much do you pay the person who handles all your backup tapes? Security from Head to Toe
the application level A Typical Investment Banking System? • Position database is globally read-write • Back office uses comment field for complex trades • Quants and traders keep vital data in their desks • The CEO says: ``We want our high-net-worth individuals to update their portfolio over the Net.’’ Q: Do your insurers and auditors sleep well at night? Security from Head to Toe
the application level The Risks and Costs? Systems often end up this way, so what do we need to address at the application level? • Operational risk, eg files being deleted • Malice, internal or external • Physical disaster: loss of access to vital data Q: Can you truthfully declare your system safe and robust on your annual returns? Security from Head to Toe
the application level Don’t Panic! Wisdom from The Hitchhiker's Guide To The Galaxy. • Not all of your code/data needs to be equally secure • Analyse what needs to be secure and how much • Partition systems for ``need-to-know’’ Q: Could a programming slip in your JSP lose a trade? Security from Head to Toe
the application level Secure Interactions • Some data can be safely accessed anonymously • Some access must be secure, eg over HTTPS • Some solutions are off-the-shelf and some will be roll-your-own Q: How do you originate outgoing HTTPS in code? Security from Head to Toe
the application level Key Management Secure interactions imply key management. • You have to expect systems to get broken into • What if you are served with a RIP Section 49 notice? • What are the pros and cons of hardware keys? Q: What validity period should your keys have and where do you store keys and their backups? Security from Head to Toe
the application level Tunnelling and Remote Access • CORBA/RMI/etc tunnels expose your entire system • Don’t be lazy; design, write and test narrow interfaces • Remote/home access has much the same effect Q: Are you thinking ``Need-to-know’’? Security from Head to Toe
the application level Testing and Monitoring Any significant exposed app should be regularly tested: • For performance • For correct/safe response to all inputs Tests should be performed: • At the unit level • At integration and release • 24x7 with paging to ops in case of any failure Q: Do you monitor your system for success and failure? Security from Head to Toe
the application level Maintenance: Barnacles that Sink the Ship? Discipline is vital when maintaining and upgrading. • Make sure that a design audit is done before release • Make sure security and other testing is done regularly • Don’t get lazy and ``open this up a bit’’ to save time Q: Do you do each release as carefully as the first? Security from Head to Toe
the application level Summary • Application security is vital but not whole story • Don’t panic; focus technical and business time • Design your system to allow for failures, break-ins • Security at the application level is 24x7 Q: Are you thinking ``Head to Toe?’’ Security from Head to Toe