APPLICATION SECURITY CONTROL DEFINITION
Identifying and managing Application Security Controls or security requirements and security issues are essential aspects of an effective secure software development program. The practices identified in this document and application security controls they will lead to the identification of software design or implementation weaknesses, which exploited the application, environment or company to level of risk. This issues must be tracked and action must be taken to improve the overall security posture of the product.
At High Level, The Workflow Should Include:-
- Identifying threats, the workflow and compliance drivers faced by this application
- Identifying appropriate security requirements to address those threats and risk
- Communicating the security requirements to the appropriate implementation teams
- Validating hat each security requirement has been implemented
- Auditing, if required, to demonstrate compliance with any applicable policies or regulations
- Economy Of Mechanism:-Keep the design of the system as simple and small as possible.
- Fail-Safe Defaults:-Base access decision on permission rather than exclusion
- Complete Meditation:-Every access to every object must be checked for authorization.
- Least Privilege:-Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
- Least Common Mechanism:-Minimize the amount of mechanism common to more than one user and depended on by all users.
- Psychological Acceptability:-It is essential that human interface be designed for ease of user, so that user routinely and automatically apply the protection mechanisms correctly.
SECURE CODING PRACTICES
When developers write software, they can make mistakes. Let undetected, these mistake can lead to unintentional vulnerabilities that potentially compromise that software or the data it processes. A goal of developing secure software is to minimize the number of these unintentional code-level security vulnerabilities.
This Can Be Achieved By:-
- Establish Coding Standards And Conventions.
- Use Safe Function Only.
- Use Current Compiler And Toolchain Versions.
- Use Code Analysis Tool To Find Security Issues Early.
- Handel Data Safely.
An essential component of an SDL program, and typically the first set of activities adopted by an organization, is some form of security testing. For organizations that do not have many security development practices, security testing is a useful tool to identify existing weakness in the product or service and serve as a compass to guide initial security investments and efforts, or to help inform a decision on whether or not to use third-party components
ATOMATIC TESTING:-
- Use Static Analysis Security Testing Tools.
- Perform Dynamic Analysis Security Testing.
- Fuzz Parsers.
- Network Vulnerability Scanning.
- Verify Secure Configuration and Use Of Platform Mitigations
- Perform Manual Verification Of Security Features/Mitigations.
- Perform Penetration Testing.
0 Comments