Du forsøger muligvis at få adgang til dette websted fra en sikret browser på serveren. Aktivér scripts, og genindlæs siden.
Aktivér en mere handicapvenlig tilstand
Deaktiver den mere handicapvenlige tilstand
Ignorer kommandoer på båndet
Gå til hovedindhold
Deaktiver animationer
Aktivér animationer
Investor
Events
Nyheder & Media
Kontakt
Om os
Det ser ud til, at JavaScript ikke er aktiveret for din browser. Aktivér JavaScript, og prøv igen.
Dansk
Engelsk
Kinesisk
Industrier & Services
Industrier
Enterprise
Offentlig sektor
Healthcare
Finans
Life Sciences
Services
Rådgivning
Forretningsløsninger
Outsourcing af applikationer
Outsourcing af infrastruktur
Support
Cybersecurity
NNIT Digital Together
Kunder & Cases
Cases
Kunder
IT for life sciences
Om Life Sciences
Quality Management
Clinical Development
Serialization
Regulatory Affairs
GxP Outsourcing
Valiance – an NNIT Group Company
Your career at NNIT
Make your mark
Your future workplace
Meet Us
Vacancies
Start your career
Sundheds-it skaber værdi for patient og sygehus
Evaluering af mobility-strategi
Information Management outsourcing
Information Management implementering
It-sikkerhedsstrategi
Lovpligtig it-revision
NNIT Enterprise Cloud
Windows Server 2003: End of Support
Vælg og prioriter de rigtige projekter
Værdien af cloud
COWI opgraderer it-sikkerheden
Application outsourcing – Vejen til øget it-effektivitet
Kan I holde stand mod cyberkriminalitet?
Fuldt udbytte af mobility kræver styr på sikkerheden
Giv jeres information management-system et serviceeftersyn
Global leverance giver det bedste af to verdener
Information – i virksomhedens tjeneste
Service requests er sat på skinner hos DSB
Sådan får CIO’en styr på forretningens skyhøje ambitioner
<
BACK
DEL
Facebook
Twitter
LinkedIn
The C.I.A. of application security!
Description
By Morten Foged Schmidt, Software Developer at NNIT
The u
se of IT systems in organizations has changed the last couple of years. Businesses become more globalized and the changing IT landscape forces the organizations to allow access to their network, systems and applications. The globalization and changes will lead to IT security changes as well.
IT security tends to focus on network and servers hosting applications and storing data. It is often about keeping intruders out by using perimeter defenses like firewalls, demilitarized zones and secured servers. This approach is absolutely necessary and critical, but as the boundaries are slowly changing with cloud, mobile and other kinds of solutions, the need for application and software security increases.
The Microsoft Security Intelligence Report 2014 shows that the industrywide vulnerability disclosures are extremely high and increasing for custom and business specific application (Other applications) compared to those from web browsers, core operating systems and applications. The extreme increase in 2H14 is believed to have occurred following research project that uncovered SSL vulnerabilities in a large number of Android apps in the Google Play Store.
Microsoft Security Intelligence Report, Vol. 18 page 19, 2014
A prerequisite for mitigation is that the organization must be aware of and understand the security goals for their applications and software. The security term CIA (Confidentiality, Integrity and Availability) is used to define such security goals or to clarify the need for specific application and software security.
The relation between Confidentiality, Integrity and Availability
Confidentiality ensures that computer-related assets are only accessed by authorized parties. Being authorized to "access" a particular asset means, viewing, printing or simply knowing about the existence of the asset. Confidentiality is sometimes also known as "secrecy" or "privacy".
Integrity means that only authorized parties can modify, create, delete, change status etc. on computer-related assets. Integrity also refers to the trustworthiness of assets and making sure the origin and credibility that people place in the assets is intact.
Finally, Availability is about having the right access to computer-related assets at the right time. For example, if someone has a legitimate access to a set of assets, then that access should not be prevented. It refers directly to the aspect of reliability, having a system that is unavailable is just as good as no system at all.
The tricky part is to find the right balance between the security goals. As an example, it would make no sense to preserve a particular computer-asset’s confidentiality by not letting anyone having access to the asset. It would conflict with the availability and proper access goals.
Security interviews with developers and stakeholders are a good information source to find the right security goals, but a more structured approach must also consider data classification, risk assessment (the consequences of data disclosure) and relevant data protection/privacy legislation e.g. the upcoming EU General Data Protection Regulation.
When the security goals have been defined, security design concepts and processes must be considered and implemented to mitigate for the risks and reach the security goals. The Microsoft SDL (Security Development Lifecycle) is one process that bridges the gap between software professionals and security best practices. The SDL ensures that security is built-in throughout the entire application development lifecycle. Implementing such a process could seem like a lot of work and be difficult to manage without being a security expert. But the SDL meets you at your current level of IT security knowledge and helps you improve from there.
As a consequence, the most important part of the SDL and the CIA model is the awareness it generates, that assists developers to become more concrete about application security.
The question is, is your organization on top of its application C.I.A.?
____________________________________________________________________________________
About NNIT Security Insights
NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.
NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage.
You are welcome to contact us at itmanagement@nnit.com if you want to know more about how NNIT can help your business increase its information security level.
Det ser ud til, at JavaScript ikke er aktiveret for din browser. Aktivér JavaScript, og prøv igen.
Helge Skov Djernes
+45 3075 8868
hfsd@nnit.com
Information Security Management Consultant
https://www.linkedin.com/in/helgeskovdiernaes/
Helge Skov Djernes
Det ser ud til, at JavaScript ikke er aktiveret for din browser. Aktivér JavaScript, og prøv igen.
NNIT Security Insights
http://www.nnit.dk/cybersecurity/Sider/nnit-security-insights.aspx
NNIT Security Insights
Risky Business?
http://www.nnit.dk/ArtiklerOgOfferings/Sider/Risky-Business.aspx
Risky Business?
Ransomware 101
http://www.nnit.dk/ArtiklerOgOfferings/Sider/Insights.aspx
Ransomware 101
Cybersecurity Awareness – The First Line of Defense
http://www.nnit.dk/ArtiklerOgOfferings/Sider/CybersecurityAwareness.aspx
Cybersecurity Awareness – The First Line of Defense
The Fine Art of Aligning Business Strategy and Information Security Strategy
http://www.nnit.dk/ArtiklerOgOfferings/Sider/The-Fine-Art-of-Aligning-Business-Strategy-and-Information-Security-Strategy.aspx
The Fine Art of Aligning Business Strategy and Information Security Strategy
Privacy – why it is worth fighting for
http://www.nnit.dk/ArtiklerOgOfferings/Sider/Privacy.aspx
Privacy – why it is worth fighting for
Migrate to Cloud Services without Jeopardizing Security and Compliance
http://www.nnit.dk/ArtiklerOgOfferings/Sider/MigratetoCloudServices.aspx
Migrate to Cloud Services without Jeopardizing Security and Compliance
Building a sustainable defence: How to secure your operational technology (OT) environment
http://www.nnit.dk/ArtiklerOgOfferings/Sider/BuildingSustainableDefence.aspx
Building a sustainable defence: How to secure your operational technology (OT) environment
How to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime?
http://www.nnit.dk/ArtiklerOgOfferings/Sider/How-to-Keep-Industrial-Computer-Systems-(ICSSCADA)-Running-in-an-Age-of-Cybercrime.aspx
How to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime?
On Cyber Warfare
http://www.nnit.dk/ArtiklerOgOfferings/Sider/On-Cyber-Warfare.aspx
On Cyber Warfare
Print / Save As PDF