There is a key need for: Dynamic Analysis Security Testing and Static Analysis Security Testing. They will help us to ensure that the applications we buy or develop are secure. I had my 1-on-1 with the speaker at lunchtime. He suggests that we should be asking vendors what kinds of analysis they have performed on their code. We should expect that the applications we use in conjunction with code development are deeply integrated with Visual Studio.
There is a growing body of threats to database applications, via their web interfaces. We should look at data obfuscation technologies to help us with testing and if we have vendors asking us to send them databases for debugging (something we won't do now). Vendors: Applimation, DCR, Compuware, Camouflage, IBM, Oracle.
"Legacy application is any application that really works." i.e., as soon as an application goes live, it is legacy. As soon as we take our eye off the ball, we're not working on an application, it becomes legacy. Legacy understanding is key to legacy security. Use dynamic and static analysis to collect information on legacy, and determine what needs to be done to secure our legacy systems.
Consider a quadrant picture with two axes: application business value against application technical quality.
Increasing Application technical quality | Tolerate (Re-evaluate/reposition) | Integrate (maintain/evolve) |
Eliminate (Retire/Consolidate) | Migrate (Modernize/re-engineer) | |
Application business value -> (successful attack, is low harm) | Increasing (successful attack is high harm |
Open Source SAST and DAST technologies are being used by hackers to determine vulnerabilities in applications. They can then use the vulnerabilities that they find to hack those applications. We need to ensure we understand what the hackers understand about our applications.
We should be using tools through all phases of application development to ensure we develop secure applications. Need to look at the speaker's Gartner publications for more direction.
No comments:
Post a Comment