What is application security?
Application security is the process of making apps more secure by finding, fixing, and enhancing the security of apps. Much of this happens during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming more important as hackers increasingly target applications with their attacks.
Hundreds of tools are available to secure various elements of your applications portfolio, from locking down coding changes to assessing inadvertent coding threats, evaluating encryption options and auditing permissions and access rights. There are specialized tools for mobile apps, for network-based apps, and for firewalls designed especially for web applications.
Why application security is important?
The faster and sooner in the software development process you can find and fix security issues, the safer your enterprise will be.
And, because everyone makes mistakes, the challenge is to find those mistakes in a timely fashion. For example, a common coding error could allow unverified inputs. This mistake can turn into SQL injection attacks and then data leaks if a hacker finds them.
Application security tools that integrate into your application development environment can make this process and workflow simpler and more effective. These tools are also useful if you are doing compliance audits, since they can save time and the expense by catching problems before the auditors seen them.
The rapid growth in the application security segment has been helped by the changing nature of how enterprise apps are being constructed in the last several years. Now, we have new working methods, called continuous deployment and integration, that refine an app daily, in some cases hourly. This means that security tools have to work in this ever-changing world and find issues with code quickly.
Application security tools
While there are numerous application security software product categories, the meat of the matter has to do with two: security testing tools and application shielding products. The former is a more mature market with dozens of well-known vendors, some of them are lions of the software industry such as IBM, CA and MicroFocus. These tools are well enough along that Gartner has created its Magic Quadrant and classified their importance and success. Review sites such as IT Central Station have been able to survey and rank these vendors, too.
Gartner categorizes the security testing tools into several broad buckets, and they are somewhat useful for how you decide what you need to protect your app portfolio:
Static testing: which analyzes code at fixed points during its development. This is useful for developers to check their code as they are writing it to ensure that security issues are being introduced during development.
Dynamic testing: which analyzes running code. This is more useful, as it can simulate attacks on production systems and reveal more complex attack patterns that use a combination of systems.
Interactive testing: which combines elements of both static and dynamic testing.
Mobile testing: is designed specifically for the mobile environments and can examine how an attacker can leverage the mobile OS and the apps running on them in its entirety.
Another way to look at the testing tools is how they are delivered, either via an on-premises tool or via a SaaS-based subscription service where you submit your code for online analysis. Some even do both.
Runtime application self-protection (RASP): These tools could be considered a combination of testing and shielding. They provide a measure of protection against possible reverse-engineering attacks. RASP tools are continuously monitoring the behavior of the app, which is useful particularly in mobile environments when apps can be rewritten, run on a rooted phone or have privilege abuse to turn them into doing nefarious things. RASP tools can send alerts, terminate errant processes, or terminate the app itself if found compromised.RASP will likely become the default on many mobile development environments and built-in as part of other mobile app protection tools. Expect to see more alliances among software vendors that have solid RASP solutions.
Code obfuscation: Hackers often use obfuscation methods to hide their malware, and now tools allow developer to do this to help protect their code from being attacked.
Encryption and anti-tampering tools: These are other methods that can be used to keep the bad guys from gaining insights into your code.
Threat detection tools: These tools examine the environment or network where your apps are running and make an assessment about potential threats and misused trust relationships. Some tools can provide device "fingerprints" to determine whether a mobile phone has been rooted or otherwise compromised.
Application security challenges
The responsibility for application security could be spread across several different teams within your IT operations: The network folks could be responsible for running the web app firewalls and other network-centric tools, the desktop folks could be responsible for running endpoint-oriented tests, and various development groups could have other concerns. This makes it hard to suggest one tool that will fit everyone's needs, which is why the market has become so fragmented.
No comments:
Post a Comment