Engineering e-BusinessApplications for Security

DISCUSSANT

GERALD TRITES, FCA, CA*IT/CISA

“enterprises have prioritized and focused their IT security strategies and budgets on protection of the network perimeter and physical access control to the application system environment.”

This premise is stated at the beginning of the paper, but no support is offered for it.

Basic Premise of Paper

The argument goes on that threats have become more sophisticated and difficult to protect against and that this somewhat restricted approach to applications security is no longer sufficient in the current environment.

Essentially, the paper is calling for a re-evaluation of the risk profile of modern applications, and a stronger security architecture to compensate for the resultant higher risk profile.

Much of the paper is based on unsupported assertions around this argument, about the current state of IT architecture and infrastructure, the issues they pose and the solutions that are appropriate.

In most cases, any research brought into the discussion is referenced in a general way, but not specifically cited, therefore it would be difficult for a serious researcher to follow through.

For Example:

Page 4 – a Gartner Survey – What survey? What companies? A percentage of what?

Page 8 – what is the “ample evidence” from the Carnegie Mellon Institute?

Page 9 – What Gartner Report? Page 9 – “From observed Hacker statistics”

– What statistics? Who observed? What did they observe?

The paper is not designed as an academic paper, and it would be fruitless to discuss it in that context.

Even a white paper, however, should be written in such a way that it offers concrete support for its assertions, conclusions and recommendations.

The services included in the Integrated Applications Services Model (IASM) are:

1, Application Security Risk Review, 2. Application Security Controls Review 3. Application Security Testing (Hacking) 4. Application Security Process Review 5. Application Secure Process Development 6. Application Security Architecture (a design and

conceptualizing method) 7. Secure Application Solution Design 8. Application Security Code Reviews 9. Learning Services 10. Intelligence Services

The Recommendations for Application Security Strategies presented in the paper are as follows:

Gaining a quantified understanding of the security risks associated with an enterprise e-Business application

Establishing a balanced set of security requirements in accordance with identified risks

Transforming security requirements into security controls and process guidance to be integrated into activities of development disciplines and methodologies employed on a development project and into the definition of system configuration, operation and maintenance goals

Establishing confidence or assurance in the correctness and effectiveness of security mechanisms using assessments, reviews, testing and certification

Determining impacts due to residual risk associated with security vulnerabilities in a system or its operation which are determined acceptable” - pg 14 of paper

Despite its limitations, the white paper makes a good point that the security for applications likely needs to be beefed up in the face of threats of an increasingly sophisticated nature.

The services outlined in this white paper would probably be useful and timely to many businesses.

There has been an emphasis on the underlying infrastructure in security work in recent years, because hacker activity has often been directed to o/s and network vulnerabilities and many user errors have originated because of the same problems.

Also businesses have been expanding their e-business activities and have been experiencing difficulty determining what are the essential components of their secure e-business infrastructure.

This is why the Boritz study on Secure e-Business Infrastructure was commissioned by the CICA’s Information Technology Advisory Committee.

These services by IBM may help to shift the emphasis and result in a more integrated approach to security planning and administration.

In the context of the expansion of e-business infrastructure, businesses have been making use of tools like XML and Web Services, which are of an integrative nature, and often involve an house development activity.

Accordingly, it is timely from this viewpoint as well to revisit the issue of including security controls in the development process.

These services by IBM may help to shift the emphasis and result in a more integrated approach to security planning and administration.

The White paper is a good awareness document.

THANK YOU!!