Filling in app security gaps

As organizations grow, applications security becomes an even greater challenge, says Matt Fisher, Senior Security Engineer for SPI Dynamics. Fisher will be discuss "Mistakes to Lure Hackers" at the LinuxWorld Open Solutions Summit on February 14.

Requires Free Membership to View

More LinuxWorld stories:
LinuxWorld preview: Samba4 makes Active Directory Linux-friendlier

Check out our LinuxWorld special report

In this interview, Fisher discusses challenges IT managers face when dealing with application security. He says that application security affects all platforms and gives advice on how to reduce security risks.

Can you describe some security issues that IT managers may encounter?

Matt Fisher Well, in terms of my specialty -- which is application security -- the big challenge right now is scale. Everyone agrees that applications have to be assessed throughout their lifecycle, but in a sizable organization it presents unique challenges.

Even inventory management is difficult. While everyone can rattle off the names of their largest, most public systems, many large organizations have trouble accounting for all of their internal -- and sometimes even external -- facing systems, systems currently in QA and systems under development. Not only does an organization have to be fully aware of all of those systems, but they also must manage a large number of assessments across applications in varying stages and departments and leverage the results of those assessments to grow.

What can IT managers do to reduce these security risks?

Fisher: Like anything else, a combination of the right processes, tools and people come into play. Centralized management of diverse, self-service assessment activities is the key to that. No one group can do all the security assessments necessary in an organization. With the tools and process, a small team of people can they can allow other units to do their own assessments while still maintaining effective central management over them.

Are any of these mistakes more common on Linux or on Windows, or do platforms make no difference?

Fisher: The most interesting aspect of application security is that it really does affect applications written on all operating systems. Certainly, with some types of compromises the operating system configuration comes into play, but for the most part, a criminal hacker can do their damage right within the application itself.

The choice of framework can have a large impact. A team building an application in PHP or ASP is going to have considerably more security work to take on themselves than one using a managed framework such as Java or .Net

What are some other common Linux server security mistakes?

Fisher: In terms of application security, the good old "client side versus server side" issue certainly comes into play. More and more processing is being done in Applets and more recently Flash, and the development teams need to remember that since both are executing on the desktop, they're an open book.

This was first published in February 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.