LATEST INTELLIGENCE
applications from reaching the end users
(Conklin & Shoemaker, 2014). applications in an order commensurate with
the risk to an organisation.
Even commercial and third-party developed
systems still warrant some steps of this
process. Performing in-depth security
assessments of all systems in an enterprise
is, unfortunately, a long and costly
undertaking (Scarfone et al, 2008). During
this lengthy process, it is possible that some
systems that security testers will not test This paper covers some of the shortcomings
with current prioritisation methods and
proposes an alternative scheme to overcome
these limitations. Application security is a key
part of a ‘defence in depth’ strategy. This
control is often only considered for internally
developed software, but attackers look for
vulnerabilities in all systems (McGraw, 2006).
While this is true for several of the measures
in the application software security control,
this control is more extensive than basic
testing of in-house created applications.
The Critical Security Controls (CSC) advise that
vendors must support all software, all systems
must be behind a protocol-aware firewall,
system owners must maintain a development
environment that is separate from production
and harden all database servers. n
Download whitepapers free from www.intelligentcio.com/me/whitepapers/
www.intelligentcio.com
INTELLIGENTCIO
21