Filling in app security gaps

In this interview, Fisher discusses challenges IT managers face when dealing with application security. He says that application security affects all platforms and gives advice on how to reduce security risks.

Can you describe some security issues that IT managers may encounter?

Matt Fisher Well, in terms of my specialty -- which is application security -- the big challenge right now is scale. Everyone agrees that applications have to be assessed throughout their lifecycle, but in a sizable organization it presents unique challenges.

Even inventory management is difficult. While everyone can rattle off the names of their largest, most public systems, many large organizations have trouble accounting for all of their internal -- and sometimes even external -- facing systems, systems currently in QA and systems under development. Not only does an organization have to be fully aware of all of those systems, but they also must manage a large number of assessments across applications in varying stages and departments and leverage the results of those assessments to grow.

What can IT managers do to reduce these security risks?

Fisher: Like anything else, a combination of the right processes, tools and people come into play. Centralized management of diverse, self-service assessment activities is the key to that. No one group can do all the security assessments necessary in an organization. With the tools and process, a small team of people can they can allow other units to do their own assessments while still maintaining effective central management over them.

Are any of these mistakes more common on Linux or on Windows, or do platforms make no difference?

Fisher: The most interesting aspect of application security is that it really does affect applications written on all operating systems. Certainly, with some types of compromises the operating system configuration comes into play, but for the most part, a criminal hacker can do their damage right within the application itself.

The choice of framework can have a large impact. A team building an application in PHP or ASP is going to have considerably more security work to take on themselves than one using a managed framework such as Java or .Net

What are some other common Linux server security mistakes?

Fisher: In terms of application security, the good old "client side versus server side" issue certainly comes into play. More and more processing is being done in Applets and more recently Flash, and the development teams need to remember that since both are executing on the desktop, they're an open book.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseLinux.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.