We held a webcast last week with Mark Wireman of OpenSky, who is an expert in application security and has worked in this space for 15 years. We appreciate Mark taking the time to share his experience securing applications in the enterprise and responding to the onslaught of mobile-based entry points in the application development process.
During the course of the hour, we received a number of interesting questions and comments and thought they would make great topics for a few blog posts. Stay tuned for a follow-up post from Mark, which will include answers to several questions on Appsec in agile development.
Defensive vs. Offensive
There was a question during the webinar about defensive and offensive strategy as they relate to security. Mark will elaborate on them in his post, but we wanted to say a few words about them as well.
At CAST, we see many companies taking a code quality approach to application security. That is, they look at software analysis at the code level and use that to flag potential security issues -- typically after the SDLC dumps the code into production. While that might seem like a reasonable approach, we believe it’s not enough.
Virtually all thought leaders in application security believe the most advanced security measures are realized in architectural analysis of applications. Truly good security should include elements of an architecture that protects application data, and a process that guarantees security aspects of the architecture are not bypassed. We’ve only seen that deployed by a few CAST customers, and nowhere else. But we believe we’ll all get there, eventually.
Towards the end of our session, we received this comment:
We wholeheartedly agree. Mobile apps only raise the stakes and the importance of securing sensitive data. As we heard from Mark during the webinar, and we hear from the assurance community, most attacks are trying to find their way to the data. We believe that it’s much more than the mobile app that needs to be secured -- it’s a system-wide problem that involves the whole application. It’s an issue of overall architecture and how the entire system needs to be designed with security in mind. The mobile app is just one piece, but an important entry point into the legacy application and hence, part of the overall system architecture.
Stay tuned for more details and answers from Mark in part two of this post.