CISSP Domain – Application Development Security

March 30, 2011 by Kenneth Magee

Application development security requires an awareness of how different environments demand different security. For example, the security for running a mainframe application that is not accessible by anything except the mainframe would be considerably different than the security for a web based application that anyone on the internet has access to. Other important questions that impact the application’s security include: How complex an application is it? What are the data types, formats, and lengths? What are the failure states? Which database management system is being used? All of these questions will impact the application’s security.

I would be remiss if I didn’t mention system development life cycle, or SDLC. You will need to remember all those phases from feasibility through operations. As well as the ideas of prototyping, rapid application development (RAD), joint application development (JAD), and bad application development (BAD). Just kidding on the last one. However, if you run short of time there’s always Agile and CASE to speed up the process.

(ISC)2 is showing a lot of interest in three areas within Application Development Security: Web Security, Mobile Code and Patch Management. Let’s take a closer look at each.

Let’s examine Web Security first. A lot of the application code being developed today revolves around the internet. The Infosec Institute has an excellent course in Web Application Penetration Testing, during which you will learn not only how to attack but also how to defend your Web Application. Web Application Security includes DoS (Denial-of-service) attacks, web application firewalls IDSs and IPSs. OWASP and SANS both, list Web Application vulnerabilities in the top 10. As is the case with any application development effort, you need to remember three things: 1) Always validate your input, this is especially critical in web applications development when we look at vulnerabilities like cross-site scripting and SQL injection, 2) Always validate the data during processing, and finally 3) always validate the output data. Also in web application development how you manage your session and whether you choose to use cookies or not needs to be carefully considered and the risks weighed against the business needs.

Any discussion of Mobile code should include subjects like Java Applets, ActiveX Controls, Malware, Antivirus Software, Spam Detection software and others. All of these represent potential weaknesses in your application security, whether it’s choosing to include JavaScript or Python script in your development of applets or ActiveX controls for your application or whether it’s deciding if you want to make your code truly mobile with an iPad version. The same as with web application development, mobile code development needs to have a vulnerability scan ran against the code before it’s put into production.

And finally, Patch Management is an area that is relatively easy to address, but is often overlooked. Every organization should have a patch management policy and all systems, including systems under development should be “patched.” Let’s face it, there are a lot of IT folks out there as well as some non-IT folks who are doing system development. And that’s in all areas; application, operating system, database, network communication, etc.

In application development security it is crucial that you ensure that the operating system you’re going to be running on in production is current and patched. It’s equally crucial that you make sure the database your application is going to be using is current and patched. Known vulnerabilities have been identified and vendors have already patched them. So give your application the best vulnerability security available and that is a system that is patched which has a program behind it to keep it patched. And yes, I know every time the OS or DB is patched you will have to retest your application. However, that’s part of application development security.

Speaking of databases, just a few words that (ISC)2 keeps putting into the exam. Look these up for your own reference:

ANN (Artificial Neural Networks)

Referential Integrity

Data Normalization

Data De-normalization

Data Warehouse

Data Mining

Fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.

Posted: March 30, 2011
Articles Author
Kenneth Magee
View Profile

J Kenneth (Ken) Magee is president and owner of Data Security Consultation and Training, LLC, which specializes in data security auditing and information security training. He has over 40 years of IT experience in both private industry and the public sector with the last 21 devoted to IT security and Risk Management.

Ken holds degrees from Robert Morris University and Fairleigh Dickinson University. He holds 30 certifications including: CTT+, CEH, CPT, SSCP, CISSP-ISSMP, CAP, CISA, CISM, ISO 27001 PA, GIAC-GWAPT/GSEC/GSNA, CIA-CGAP, Security+, and CDP. He is a Senior Instructor with the InfoSec Institute.