Application Security Architecture
Application security should begin with a policy, just like everything else in information security should. Applications must be thoroughly subjected to the security policy. It has traditionally been used to safeguard the network's resources. Applications are resources, thus there is a greater danger at this level and a greater requirement for adequate protection. There are two essential elements needed to design, create, and deploy secure applications.
- Application security development life cycle and guidelines
- Interoperable security infrastructure components
Application security analysis
For the purposes of security analysis, an application is a repository of resources (data and business logic) made accessible to "users" via a communication channel. Identification, authentication, and authorization are the three main security ideas that revolve around a user. Although identification and authentication are two unique concepts, they are frequently used synonymously. An identifier is presented to a system as part of identification, which is defined as "an act or process that enables a system to recognize a system entity and distinguish it from other entities." Verifying a claimed identification made by or on behalf of a system entity is the process of authentication.
Application Security Design
Security needs to be involved with the application team at the design phase of an application (for off-the-shelf purchases, it would be the evaluation phase) to help them adopt suitable security technologies and/or processes. The following major structural requirements must be met by an application to include suitable security controls:
Session
While navigating around an application, users shouldn't need to re-authenticate. The application must continue to facilitate their present interaction with it. Every user's session needs to be distinct and kept up to date individually. For instance, the session should assist the program in identifying the user and their present status with the application if the user has been away from it for a while. Additionally, the application can decide whether it has to reauthenticate the user in accordance with the authentication policy using authentication details like the last active time.
Single Access Point
A program should only have one point of entry for users. Creating backdoors for administrative purposes is common. Backdoors should be avoided, and all users including administrators should only be able to access a program from a single location.
At this point, components for identification and authentication must be carried out. A single point frequently referred to as a portal, can serve as the access point for several applications. Technologies like single sign-on are also becoming more and more prevalent. By authenticating just once, single sign-on allows a single access point to access many applications. Additionally, this function spares the user from having to remember numerous passwords, which might increase security.
Roles
The needs of users vary depending on the application. Different user rights (read, change, add, and delete) should be granted to various application resources inside an application. Maintaining rights would be a management nightmare if configured to just allow individual, user-by-user authorization. Users are typically assigned to roles, and those roles are granted access to the necessary application resources.
After then, rather than giving each user their own privileges, that role is assigned to all users who carry out that role. The administrator will only need to alter a privilege for that role; they won't need to alter it for every user.
Audit
An application needs to include some elements to keep track of actions taken with regard to its resources. These components' positioning ought to make it easier to track down any application events. For the audit outcome to employ retention guidelines, proper backup and recovery mechanisms must be implemented. Additionally, the audit output should be formatted correctly to aid in searches or the creation of statistics.