Do internal applications now need the same kind of due diligence toward hardening that external/Web-facing applications do? My thinking is that it's now trivial for attackers to breach the network perimeter, meaning an internal application tied into our database could be an even more tempting target.
Ask the Expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
Any internal application that accesses sensitive enterprise data needs to handle that data securely and be designed to withstand attacks just like any Web-facing application. An attacker who successfully breaches network defenses will attempt to exploit vulnerabilities and weaknesses in applications running on the network in order to find access points to protected data. Internal application security is not only under threat from attackers outside of the enterprise, but also from employees or contractors looking to exploit their legitimate access to enterprise assets or data. Threat modeling is an essential process to determine what security controls an application needs in order to provide effective countermeasures. Microsoft's SDL Threat Modeling Tool is a free resource that provides guidance on creating and analyzing threat models.
I strongly recommend implementing Microsoft's Security Development Lifecycle (SDL), a security assurance process that is focused on software development. Depending on the size of the development team and budget, the simplified version may be more appropriate, as it can be adapted to the resources available. Both versions provide a holistic and practical approach to reducing the number and severity of vulnerabilities in applications. The focus on the design stage helps ensure data is processed in accordance with corporate security policies and any relevant privacy or regulatory requirements.
The SDL also emphasizes the importance of ongoing education and training for the software development team. Developers must be up-to-date on the latest threats and mitigation technologies as well as understand concepts such as secure design and secure coding. Amongst the most common mistakes still made by many developers are failing to validate input properly and restrictively, not properly authenticating users, inadequate error handling and, most importantly, failing to encrypt data when at rest or in motion. Eradicate these errors and data security will be greatly improved.
Properly trained peers should review software code, particularly code or updates that affect the collection, use and display of confidential data, while superseded applications and libraries should be removed following any updates. Given the complexity of today's applications, your security checks will benefit from automated scanning. There are plenty of good open source vulnerability scanners available. Penetration tests from both outside and from within the network perimeter should be conducted at least annually. Given that some targeted attacks are sophisticated enough to remain hidden for long periods of time, applications should provide extensive logging capabilities, particularly recording user access and actions. These logs can prove invaluable in detecting suspicious behavior that may indicate an infection.
This was first published in August 2013