Application security is a very extensive topic; a whole book could be written about it, similar to other layers of the cybersecurity onion. In this article, I’ll try to point out the most crucial areas of application security that every admin or security specialist should know.
Every secure application that stores users’ data (especially passwords) should keep them encrypted so that it is not possible to view it in plain text. It should have strong access control implemented so users can view data only after proper authentication (providing credentials) and authorization (systems should check if they have proper permissions assigned to them).
The components used by the application should be modern and often updated with all necessary security patches when a vulnerability is detected.
All communication sent by the app should use encrypted protocols (like HTTPS), and the app should verify all remote access requests to avoid any “Server-Side Request Forgery” attacks, which allow the attacker to cause the application to send requests to external, unauthorized location, potentially leading to sensitive data leaks.
A secure application should also be resistant to injection attacks, which allow unauthorized users to inject, for example, SQL code into the application database via login panel or other input fields.
The application should also be able to monitor and log security issues (like failed sign-in or brute force attack attempts). Even better, there should be a possibility to forward those logs to a remote server via common tools like rsyslog.
If you are developing an application or researching some app that you want to implement in your company, check if it is compliant with the OWASP Top 10 guidelines, and if it’s resistant to the top 25 CWE highlighter by MITRE Corporation.
Data security is all about securing your data in transit and at rest.
When discussing data security, it is important to mention the three principles of information security:
Confidentiality
Confidentiality means that the data should be private and visible/accessible only to those individuals who own it or need it to perform their organization’s role.
Integrity
Integrity means that the data must be protected against unauthorized changes when at rest or in transit.
Availability
Availability means that the data should always be available when the user needs it.
When thinking about data security we always should have those three principles in mind.
Every company should have authentication and authorization systems in place so that only authorized users can see and access the data (Confidentiality / Integrity). All data at rest or in transit should be encrypted so no malicious actor can access it and make unauthorized changes (again Confidentiality / Integrity). There should also be a technology infrastructure in place to always have the data accessible when needed (Availability).
The availability principle can be maintained by using high available infrastructure (multiple redundant servers with clustering, load balancing, and power redundancy), business continuity plans (like an off-side data center to which you can switch in the event of on-premises hardware failure), or data recovery plans (proper backups infrastructure that can restore your data when needed).
I hope that my articles helped you to recognize which areas of your IT infrastructure should be addressed to keep your company defended and that you gained some insights about interesting tools that can help you achieve it.
Stay tuned for more articles from Macrix Technology Group Think Tank.
Jędrzej Boguszyńki
IT Systems Administrator