Application Security Priorities

Applications are the heart and soul of businesses. Applications support certain lines of business exclusively and some applications support other applications. Infrastructure products are a set of applications that support high-level applications used for each line of business. They are a layer that operated underneath the application layer and infrastructure layer.

Infrastructure layers include:

1. Network software support: switches, routers, and wireless routers.
2. Database support: Oracle, Linux flavors, and cloud databases.
3. Communication tools: Teams, Confluence …
4. Conference tools:  Zoom, google meet, WebEx
5. Infosec applications: SIEM, EDR, firewalls…
6. Authorization and authentication tools
7. Standard tools: Word, Excel, PowerPoint, Visio

Application needs:

1. Browse to server application – moving non-critical applications to this unreliable architecture. Critical applications will be designed securely and with a robust architecture.
2. Solid network layer that supports traffic between browser and many servers.
3. Middleware applications like Salesforce act as middleware and they have a robust API architecture that applications can take advantage of.
4. API based applications.
5. Oauth2 integrated applications.
6. Key management tools – both infrastructure and applications need these tools
7. Browser to server application – moving critical applications to reliable architecture with a robust TCP/IP network infrastructure. Browser to server application – moving non-critical applications to this unreliable architecture with a robust TCP/IP network infrastructure.
8. Critical applications will be designed securely and with a robust architecture.

Because applications are the lifeblood of the company, their failure will only lead to greater costs in managing services designed to support other businesses and people.

So, where does application security fit in this plan:

1. Applications should be prioritized to determine which applications are important to the business.
2. The critical applications (high risk) should be segmented by location – are they behind the business’s main firewalls? Or is the application exposed to the internet. Exposed applications need to be reviewed first.
3. Is the traffic between the browser and servers encrypted?
4. If exposed to the internet; are tools used to make sure the backend portion of the application is protected from known application hacks.
5. This includes OWASP type weaknesses. These weaknesses can be found by SAST (Static Application Security Testing) tools that exist in the application security industry.
6. Some applications may have components that are hard to update to address weaknesses because they were designed by cut and pasting from other old applications.
7. It may be very beneficial to rewrite the most common and critical portions in Python and then have other critical portions of the application use a Python library. This makes the code easier to test and debug. It also makes sure that reuse of the Python code is successful because the libraries should be easy to review and use.
8. php or JavaScript designed applications are often hard to test because their development can often harvest other sections of code from other applications of the same application language. In order words, they have cut and pasted too much code which makes it hard to know what to update and test.
9. Python applications can be designed in an object-oriented way thereby modeling the application needs very well. This modeling make is easier to develop the application and maintain it.

Application security is critical to all applications, especially those that are not behind a firewall.

High risk applications will only get more complex. That risk is mitigated by using off-the-shelf applications that are vetted by the product vendor. Customizations then will address the same business needs.

The ongoing move to web browser/web server architectures should encourage the use of Python and other object-oriented application development tools.