Looking at technical security, it is obvious that the biggest part of our attention and our budgets focus on its infrastructure aspects. When you describe someone as a "security guy" the chances are that he or she deals with firewalls, hardening, VPNs or antivirus are high. This is just the sign of the fact that infrastructure securiy is widespread, baseline measures implemented in consistent and integrated manner. Not that it is perfect. There is still opportunity for improved management, lower cost or improved efficiency in protection. However overall, infrastructure security is a well established niche.
Authentication is widespread and is implemented in a consistent manner across organisation or business unit in the form of desktop user authentication. Two-factor authentication is implemented in a selective manner, especially in high-risk areas, for instance for remote access. Authorisation is widespread and is implemented in a consistent manner using authorisation capabilities provided by infrastructure (e.g. file, email) and networking (e.g. firewall) technology. Yet it often fails as it is traded off for performance, ease of useor ease of support. Audit capabilities are widespread but are typically used in a selective manner. Platform logging and network intrusion detection that are the main mechanisms to implementing auditing are typically used only in high risk areas as their wider use is prevented by problems with efficiency of processing of captured data and acting upon it. Data integrity measures are widespread and implemented in a consistent manner using secure channels and infrastructure access control controls. Secure channels are widely adopted, especially at the interface to customers where sensitive data is passed between them and the system. They are implemented using virtual private network capabilities provided by platform or networking technology. Platform integrity measures have been a hallmark of infrastructure approach to security with widespread and consistent use of firewalls and anti-virus technology and selective use platform hardening in high-risk areas.
Application security is, in general, paid much less attention to. It is not completely ignored, yet it is living in a shady world of existence and non-existence. It is implemented frequently, however mostly in a very selective and inconsistent manner, mostly local to applications and application platforms.
Application authentication is widespread, most often implemented using password based technology. Due to limitations of underlying application infrastructure and vendor support, implementations are often local to applications. Authorisation is widespread but again it is mostly local to an application or application platform. Use of application audit capabilities is less frequent and more selective than that of preventive security. Application security logging capabilities are often poor and require substantial configuration and customisation to work and their implementation is typically local to the application. Data integrity measures are used widely but in an inconsistent manner mostly using validation of input, processing and output and through implementation of secure channel technology. Implementation of these measures is local to application functions and mostly focused on data quality and prevention of errors. Secure channels are used widely. They are used consistently for new web-based applications but are rare for legacy applications. Application platform integrity measures are implemented in a limited and selective manner using application hardening only in high-risk areas.
Overall, when compared with its infrustructure cousin, application security suffers from an attention and nutrition deficit.
Posted by Jiri at April 26, 2004 10:18 PM | TrackBack