Intelligent CIO Middle East Issue 32 | Page 21

LATEST INTELLIGENCE applications from reaching the end users (Conklin & Shoemaker, 2014). applications in an order commensurate with the risk to an organisation. Even commercial and third-party developed systems still warrant some steps of this process. Performing in-depth security assessments of all systems in an enterprise is, unfortunately, a long and costly undertaking (Scarfone et al, 2008). During this lengthy process, it is possible that some systems that security testers will not test This paper covers some of the shortcomings with current prioritisation methods and proposes an alternative scheme to overcome these limitations. Application security is a key part of a ‘defence in depth’ strategy. This control is often only considered for internally developed software, but attackers look for vulnerabilities in all systems (McGraw, 2006). While this is true for several of the measures in the application software security control, this control is more extensive than basic testing of in-house created applications. The Critical Security Controls (CSC) advise that vendors must support all software, all systems must be behind a protocol-aware firewall, system owners must maintain a development environment that is separate from production and harden all database servers. n Download whitepapers free from INTELLIGENTCIO 21