Application development security requires an awareness of how different environments demand different security. For example, the security for running a mainframe application that is not accessible by anything except the mainframe would be considerably different than the security for a web based application that anyone on the internet has access to. Other important questions that impact the application’s security include: How complex an application is it? What are the data types, formats, and lengths? What are the failure states? Which database management system is being used? All of these questions will impact the application’s security.

I would be remiss if I didn’t mention system development life cycle, or SDLC. You will need to remember all those phases from feasibility through operations. As well as the ideas of prototyping, rapid application development (RAD), joint application development (JAD), and bad application development (BAD). Just kidding on the last one. However, if you run short of time there’s always Agile and CASE to speed up the process.

(ISC)2 is showing a lot of interest in three areas within Application Development Security: Web Security, Mobile Code and Patch Management. Let’s take a closer look at each.

Let’s examine Web Security first. A lot of the application code being developed today revolves around the internet. The Infosec Institute has an excellent course in Web Application Penetration Testing, during which you will learn not only how to attack but also how to defend your Web Application. Web Application Security includes DoS (Denial-of-service) attacks, web application firewalls IDSs and IPSs. OWASP and SANS both, list Web Application vulnerabilities in the top 10. As is the case with any application development effort, you need to remember three things: 1) Always validate your input, this is especially critical in web applications development when we look at vulnerabilities like cross-site scripting and SQL injection, 2) Always validate the data during processing, and finally 3) always validate the output data. Also in web application development how you manage your session and whether you choose to use cookies or not needs to be carefully considered and the risks weighed against the business needs.

Any discussion of Mobile code should include subjects like Java Applets, ActiveX Controls, Malware, Antivirus Software, Spam Detection software and others. All of these represent potential weaknesses in your application security, whether it’s choosing to include JavaScript or Python script in your development of applets or ActiveX controls for your application or whether it’s deciding if you want to make your code truly mobile with an iPad version. The same as with web application development, mobile code development needs to have a vulnerability scan ran against the code before it’s put into production.

And finally, Patch Management is an area that is relatively easy to address, but is often overlooked. Every organization should have a patch management policy and all systems, including systems under development should be “patched.” Let’s face it, there are a lot of IT folks out there as well as some non-IT folks who are doing system development. And that’s in all areas; application, operating system, database, network communication, etc.

In application development security it is crucial that you ensure that the operating system you’re going to be running on in production is current and patched. It’s equally crucial that you make sure the database your application is going to be using is current and patched. Known vulnerabilities have been identified and vendors have already patched them. So give your application the best vulnerability security available and that is a system that is patched which has a program behind it to keep it patched. And yes, I know every time the OS or DB is patched you will have to retest your application. However, that’s part of application development security.

Speaking of databases, just a few words that (ISC)2 keeps putting into the exam. Look these up for your own reference:

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.
VIEW CISSP TRAINING

ANN (Artificial Neural Networks)

Referential Integrity

Data Normalization

Data De-normalization

Data Warehouse

Data Mining

Incoming search terms: