Enterprise Services
Showing results for 
Search instead for 
Do you mean 

Are your applications securely holding the fort in your enterprise?

Info_Security ‎08-23-2013 02:03 AM - edited ‎09-30-2015 06:58 AM

Adversaries are always on the prowl to penetrate the perimeters of the enterprise through the demilitarized zones, the intranet, the servers, the operating systems, the applications and finally, the data. Their overall goal is to gain access to the underlying data, which has even more value and context when accessed through the applications layer. Once the applications security is compromised, there are really no more layers of protection—since it opens up unfettered access to the data. Therefore, the applications layer has to hold the fort in your enterprise and be on guard should the outer perimeters be penetrated.


Application Security.pngHP Distinguished Technologist, John Diamant points out that applications continue to represent one of the weakest links in enterprise security in his interview on SecuritySolutionsWatch.com. So, what steps can enterprises take to address this challenge? The “Application security in the SDLC session by Kevin Poniatowski from Safelight Securityat HP Protect 2013provides some pointers. “Application security is not an add-on or a plug-in. It is a process that must be included in all phases of the development lifecycle to mitigate risk,” Poniatowski writes. What exactly does this mean within each phase of the Software Development Lifecycle? Let us take a look.


Analysis. Along with functional requirements, the non-functional requirements—including security—must also be determined for an application before it is architected. This includes a gap analysis of security regulations and best practices that apply to individual applications. Doing so would make it easier to justify the cost of enforcing the right security measures in alignment with these requirements.


Architecture. Security is an integral part of the Enterprise Architecture (EA) DNA. High-level view of the architecture for threat modeling and attack surface analysis must be used to identify weaknesses in the structure and design, which correlate directly into security vulnerabilities that are likely to be coded or configured into an application.


Build. Application designs must also address the not-so-happy what-if scenarios as well. Model-driven approaches work well to proactively anticipate security violations, ensuring the right measures are in place at design time. Tools must be used to effectively scan the source code for vulnerabilities.


Test. “You can’t rely only on testing scenarios to find and fix all of your existing application vulnerabilities,” Diamant cautions. We must still test and fix security flaws even though they are reactive measures that should have been preempted in the preceding phases.


Sustain. Applications meet infrastructural components of network and storage, which open up additional intersection points — a fertile ground for violations. Independent validations and verifications of existing applications must be performed to proactively identify gaps, and therefore vulnerabilities.


The 9th Annual HP Security user conference, HP Protect 2013 provides an opportunity to attend about 150 technical sessions on Enterprise security that comprehensively addresses various aspects including Network, Data, Software and Information and Event Management.


What measures are you taking within your enterprise to proactively enforce application security across the Software Development Life Cycle (SDLC)? Please consider attending the Application security session to check out other options.


Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.


nadhanHP Distinguished Technologist, E.G.Nadhan has over 25 years of experience in the IT industry across the complete spectrum of selling, delivering and managing enterprise level solutions for HP customers. He is the Chief Architect for the standardized framework of processes and tools that HP Enterprise Services uses to deliver world-class applications solutions.

Twitter handle @NadhanAtHP.


HP Protect 2013

0 Kudos
About the Author


on ‎09-06-2013 07:44 AM

A very interesting article and well written Smiley Happy

Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all