Application development security requires an awareness of how different environments demand different security. For example, the security for running a mainframe application that is not accessible by anything except the mainframe would be considerably different than the security for a web based application that anyone on the internet has access to. Other important questions that impact the application’s security include: How complex an application is it? What are the data types, formats, and lengths? What are the failure states? Which database management system is being used? All of these questions will impact the application’s security.
I would be remiss if I didn’t mention system development life cycle, or SDLC. You will need to remember all those phases from feasibility through operations. As well as the ideas of prototyping, rapid application development (RAD), joint application development (JAD), and bad application development (BAD). Just kidding on the last one. However, if you run short of time there’s always Agile and CASE to speed up the process.
(ISC)2 is showing a lot of interest in three areas within Application Development Security: Web Security, Mobile Code and Patch Management. Let’s take a closer look at each.
And finally, Patch Management is an area that is relatively easy to address, but is often overlooked. Every organization should have a patch management policy and all systems, including systems under development should be “patched.” Let’s face it, there are a lot of IT folks out there as well as some non-IT folks who are doing system development. And that’s in all areas; application, operating system, database, network communication, etc.
In application development security it is crucial that you ensure that the operating system you’re going to be running on in production is current and patched. It’s equally crucial that you make sure the database your application is going to be using is current and patched. Known vulnerabilities have been identified and vendors have already patched them. So give your application the best vulnerability security available and that is a system that is patched which has a program behind it to keep it patched. And yes, I know every time the OS or DB is patched you will have to retest your application. However, that’s part of application development security.
Speaking of databases, just a few words that (ISC)2 keeps putting into the exam. Look these up for your own reference:
ANN (Artificial Neural Networks)