Computerworld - An independent consultant is evaluating our security posture, and he'll be here for the next several weeks. It's the sort of thing that makes me as nervous as a mother whose child is applying to colleges. I used to be a security consultant myself, so I understand what the consultant is looking for. I have prepared. But it's always nerve-wracking to see your "children" judged by outsiders.
I'm glad we're following this security best practice, though I don't really expect any surprises. In fact, upon receiving the first of what will be many reports from the consultant, I broke into laughter, for there in writing was what we have long known to be our weakest link: the application layer.
I don't make any claims of being an expert in application-layer security. I don't have an application development background, and I find myself avoiding the topic. It's probably not the best position, but I don't know what to do about it.
AT ISSUE: A security consultant quickly turns up problems with the application layer.
ACTION PLAN: Buckle down and finally learn about an aspect of security that's been ignored.
I am fairly expert at network security, Windows and Unix operating system security, physical security, wireless security, building security and access controls. But a security manager can't secure just the things she understands. All those other things could be tight as a drum, but it's all for naught if hackers can get in through the application layer.
And that's the problem with the application layer: Hackers can get in if it's not secured, because most applications have been Web-enabled.
Right now, we're protecting our applications by placing the Web servers in the DMZ, keeping the application and database servers behind the firewall, running "pinhole" connections between them, maintaining rules on whether a server can pull or push information, and mandating access control based on roles. The servers are patched on a regular basis (weekly, lately), and we scan for vulnerabilities. But that's about it. I'm trying to figure out how to ensure that the applications that are built in-house are properly secured.
I'm not sure where to start. I could never do a source-code audit. I wouldn't even know what I was looking for.
To gain some insight, I turned to the Nessus open-source tool and decided to run it against a production server that is accessible only by the security staff — or should be. We run several security applications on it. If I happened to knock down the server with my probing, I had access to bring it back online.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
