In this interview, Fisher discusses challenges IT managers face when dealing with application security. He says that application security affects all platforms and gives advice on how to reduce security risks.
Can you describe some security issues that IT managers may encounter?
Matt Fisher Well, in terms of my specialty -- which is application security -- the big challenge right now is scale. Everyone agrees that applications have to be assessed throughout their lifecycle, but in a sizable organization it presents unique challenges.
Even inventory management is difficult. While everyone can rattle off the names of their largest, most public systems, many large organizations have trouble accounting for all of their internal -- and sometimes even external -- facing systems, systems currently in QA and systems under development. Not only does an organization have to be fully aware of all of those systems, but they also must manage a large number of assessments across applications in varying stages and departments and leverage the results of those assessments to grow.
What can IT managers do to reduce these security risks?
Fisher: Like anything else, a combination of the right processes, tools and people come into play. Centralized management of diverse, self-service assessment activities is the key to that. No one group can do all the security assessments necessary in an organization. With the tools and process, a small team of people can they can allow other units to do their own assessments while still maintaining effective central management over them.
Are any of these mistakes more common on Linux or on Windows, or do platforms make no difference?
Fisher: The most interesting aspect of application security is that it really does affect applications written on all operating systems. Certainly, with some types of compromises the operating system configuration comes into play, but for the most part, a criminal hacker can do their damage right within the application itself.
The choice of framework can have a large impact. A team building an application in PHP or ASP is going to have considerably more security work to take on themselves than one using a managed framework such as Java or .Net
What are some other common Linux server security mistakes?
Fisher: In terms of application security, the good old "client side versus server side" issue certainly comes into play. More and more processing is being done in Applets and more recently Flash, and the development teams need to remember that since both are executing on the desktop, they're an open book.
This was first published in February 2007