Application Security Assessments
Internal and external applications are consistently the weakest link in enterprise security schemes. This is especially true with older, legacy applications. But even with new applications being rolled out, it is startling how little security is architected into the application.
There are three times to consider the application security assessment:
- No architecture or application in place yet.
This situation exists prior to the building of the architecture and/or
application. This is the most cost-effective time to build security into
the architecture of the application that follows the basic application
development rules of design, govern, test, and fix.
- Architecture is still on paper. Nothing has been coded or built yet. Still a great situation to be in
because you've got the time to do it right.
- Application is partly or fully developed. The architecture
and/or code needs to be reviewed for security vulnerabilities. Costs for such an assessment will depend upon the complexity and development level of the application and
the security compliance requirements.
Reasons for funding an application security assessment:
- According to NIST, it can be up to 30x less expensive to fix
security defects in development vs. production
- Reduce the number and severity of security incidents
- Avoid data loss and regulatory penalties (SOX, PCI, HIPAA)
- Avoid incident costs, which the Poneman Institute states are $5.4M
per incident in the U.S.
- Conform to industry standards (ISO, COBIT, ITIL, etc.)
- Implement appropriate due diligence in relation to industry peers
Our application security assessment covers:
- OWASP Top 10
- SANS 25
- Access control
- Authentication
- Configuration and operations
- Input and output handling
- Session management
- File Handling
- Cryptography (at rest and in transit)
- Data protection
- Error handling and logging