Application Security Profiling Exercise: Important Considerations

Thursday, May 12, 2011

kapil assudani


Your Cafeteria Menu Web Application Might Be Sensitive!

This article is focused on the exercise of determining the security profile of an application to determine what level of security controls/rigor is required for the application – after all, implementing a security control more expensive than value of the data never justifies the ROI. 

So yes, usually the biggest goal of determining the security profile of the application is to implement security across the enterprise in a cost effective manner that appeals to senior management to obtain their buy-in.

I have looked at number of Security Risk Management Programs, read books, talked to security professionals about the methodology used to determine the security profile of their application.

The usual answer involves the process of determining whether a given application processes PII or company confidential data AND if the application has internet presence or not a.k.a. a checklist approach.

This is great, but along with data sensitivity and exposure of the application one needs to consider the availability requirements of the application at par with the data sensitivity and exposure of the application, not any less.

Besides this, when one considers data sensitivity, only the profile of the data is analyzed for classification – but what I am wondering here is what about the sensitivity for the type of credentials used for an application.

Let’s discuss an example of each of the above cases, starting with why availability factor is equally important as data classification and exposure of the application.

Lets say there is an application “X”, that does not process any sensitive data – neither PII nor company confidential, neither the application is exposed to the internet, however the business function of application “X” is to obtain a non-PII data, which is consumed by multiple business critical/sensitive applications that would not be able to complete their transactions without this information. 

So when we attempt to determine the security profile of this application – neither is it exposed to the internet nor does it process any sensitive data, but its availability factor is critical for a number of core enterprise business applications.

Unfortunately, if one does not review the context/environment this application operates under – we would determine it to be of a very low security profile, and hence require only very low security rigor.

This could be a big mistake, since an employee with malicious intent would have a free ride to take down this application considering the application’s low security rigor requirements, subsequently affecting availability of critical business applications resulting in a financial impact or negatively impacting the enterprise brand.

It is important to realize the availability factor is the usually the number one priority for any enterprise of course along with any regulations that are applicable – since it directly translates to money, brand image, etc.

Next, let’s discuss an example of why credential type used to authenticate to an application is an important attribute that should factor in the process of determining the security profile for an application. 

Let’s take an example of an intranet cafeteria menu application that has no sensitive data and is not exposed to the internet and not critical for an enterprise to have high availability.

However lets assume that in order to log into the web application, one requires their LAN credentials. If data classification is determined through profiling the application data, the application will assume a low security profile with no sensitive data – hence requiring low security rigor.

Now, if this application is compromised/or the credentials sniffed the attacker has pretty much keys to the kingdom – he can invariably assume the privileges of any employee who uses this web application. The stolen account credentials can then be used to execute attacks in other critical enterprise applications again resulting in PII leak, financial impact and negative brand image.

Determining the security profile of an application is a very involved and complicated process – one needs to understand the business logic of the application, its integration with other applications and the security profile of the context this application interacts with.

As a part of this exercise there may be outcomes that can make it extremely complicated to justify ROI in implementing security controls. In these situations one needs to re-think the objective – and ask questions like what is the ultimate objective of profiling applications from security standpoint, and if it doesn’t make sense in one of the use cases an alternate method could be for example – not use enterprise credentials for low profile application.

I am not proposing this, but this could be justified solution for certain use cases. Or another way to look at it would be to create network security zones that club tightly integrate application both from business and technical standpoint in one zone, where each zone is applied security controls based on the security profile of the zone a.k.a. the information system it houses.

In the end, I will serve a reminder to not forget to put availability as an equally important attribute compared to data classification and exposure of the application – remember “Production is no.1 priority for any business!!”

Possibly Related Articles:
Information Security
Authentication Enterprise Security Risk Management Application Security Network Security Security Profile
Post Rating I Like this!
abbie gates Many consumers today depend on the advantage and entertainment of mobile apps. There has been a silent guarantee that private information is secure, but as Chicago-based computer security company viaForensics suggests, maybe we should have received that guarantee in writing. According to a new research by the business, top app makers like LinkedIn, Netflix, and Square store delicate user information unencrypted in basic text files on mobile devices. For those who would use your private data to do you harm, this type of hole is unforgivable. You can lose lots of money in personal loans without secure information.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.