Securing Business Application for effectiveness
Going back to basics, one could define business application security as processes, best practices, and technologies used to prevent unauthorized access to application data. Data security includes securing data-at-rest, as well as data-in-motion.
Running business applications, operating environments, network connectivity and integration with other applications and third-party technologies are the broad categories where application data flows; thus, it is warranted to carefully consider not only securing the application data but all of these aspects:
Secure Application Development Lifecycle
Securing business applications requires good development practices, processes and technologies throughout the software lifecycle to prevent and detect security vulnerabilities during design and coding so applications are built in a manner that minimizes risk.
Secure Running Business Applications
The primary focus of securing running business applications should be placed on the application data, i.e. CRUD (Create, Update, Read, Delete) activities within the application. In other words, it’s about the who, what, when and how of the application data.
Best practices such as authentication, authorization, auditing and data security via configuration are keys to making sure that application content is secure at runtime, while application network connections are extremely important to the security of data-in-motion.
Many business applications interface with other business applications and integrate with third-party technologies. Properly securing business applications means considering third-party technology integration as this will have a huge impact on potential access to your application.
Secure Deployment Environment
Securing deployed business applications requires security of the deployment environment, including the Operating Systems (OS) and any other infrastructure such as the cloud. There are many tools and best practices available from
multiple sources, such as the Microsoft Baseline Security Analyzer, to identify any missing security updates and common configurations.
Although addressing these three elements is crucial, the focus of this article will predominantly cover technologies and aspects related to securing running application data.
Securing Running Business Applications
Securing running business applications includes securing the data generated and maintained, and the application’s connectivity to the network. It requires consideration of the following basic elements:
• Authentication of Users: Who is allowed to get in either via a User Interface (UI) or directly to API’s?
• Authorization: Once a user logs into your application, what data are they allowed to access?
• Auditing: What did the user change?
• Data-at-rest: Is the data secure when it’s stored in the application?
• Data-in-motion: Is the data secure when it’s flowing through various architectural components of your application?
• Network connectivity: How do you make sure that the various ways in which a user can access your application are safe, both inside and outside the application boundaries?