Secure Application Development
The Threat from Application Vulnerabilities
Critical weaknesses in development processes; badly written applications; deployment errors; increasingly disparate critical data; more demands being placed on the database: the holes have always been there, but now they are being exploited.
How can you be sure that your own applications are not similarly riddled with serious security issues? Is this risk seriously limiting your business agility and reach?
There are two key steps:
- Understand and then control the full set of commands that an application may legitimately ask of the database, when it is performing desired business functions.
- Apply centralised protection near the database, removing the need for immediate, costly changes to multiple applications.
“Applications are written badly....really badly; the holes have always been there and now they are being discovered.”
Rohit Dhamankar at the SANS 2006 briefing
The Solution
By building up a rich understanding of application-to-database behaviour the security savvy enterprise can insist on database interactions conforming only to allowable behaviours. This can eliminate the risks and costs of exposing and fixing large numbers of application vulnerabilities immediately and allows patching to take place in a timescale driven by the business.
“Application-specific protocol-level IDS is the only way to effectively tackle the threat of SQL injection attack. For the first time, Secerno technology gives developers the tools to pinpoint exactly where the error lies, right down to a particular line of code”
Paul Simmonds, The Jericho Forum.
“Secure software is that which has been engineered so that it continues to function ‘correctly’ under malicious attack”
Cyber-Security KTN – Secure Software Development Special Interest Group, 2007
