Filling in app security gaps

Matt Fisher, senior security engineer for SPI Dynamics, discusses challenges IT managers face when dealing with application security and gives advice on how to reduce security risks.

As organizations grow, applications security becomes an even greater challenge, says Matt Fisher, Senior Security Engineer for SPI Dynamics. Fisher will be discuss "Mistakes to Lure Hackers" at the LinuxWorld Open Solutions Summit on February 14.

More LinuxWorld stories:
LinuxWorld preview: Samba4 makes Active Directory Linux-friendlier

Check out our LinuxWorld special report

In this interview, Fisher discusses challenges IT managers face when dealing with application security. He says that application security affects all platforms and gives advice on how to reduce security risks.

Can you describe some security issues that IT managers may encounter?

Matt Fisher Well, in terms of my specialty -- which is application security -- the big challenge right now is scale. Everyone agrees that applications have to be assessed throughout their lifecycle, but in a sizable organization it presents unique challenges.

Even inventory management is difficult. While everyone can rattle off the names of their largest, most public systems, many large organizations have trouble accounting for all of their internal -- and sometimes even external -- facing systems, systems currently in QA and systems under development. Not only does an organization have to be fully aware of all of those systems, but they also must manage a large number of assessments across applications in varying stages and departments and leverage the results of those assessments to grow.

What can IT managers do to reduce these security risks?

Fisher: Like anything else, a combination of the right processes, tools and people come into play. Centralized management of diverse, self-service assessment activities is the key to that. No one group can do all the security assessments necessary in an organization. With the tools and process, a small team of people can they can allow other units to do their own assessments while still maintaining effective central management over them.

Are any of these mistakes more common on Linux or on Windows, or do platforms make no difference?

Fisher: The most interesting aspect of application security is that it really does affect applications written on all operating systems. Certainly, with some types of compromises the operating system configuration comes into play, but for the most part, a criminal hacker can do their damage right within the application itself.

The choice of framework can have a large impact. A team building an application in PHP or ASP is going to have considerably more security work to take on themselves than one using a managed framework such as Java or .Net

What are some other common Linux server security mistakes?

Fisher: In terms of application security, the good old "client side versus server side" issue certainly comes into play. More and more processing is being done in Applets and more recently Flash, and the development teams need to remember that since both are executing on the desktop, they're an open book.

This was first published in February 2007

Dig deeper on Linux system security best practices

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close