1. Application Security Development
Application Security includes measures taken throughout the Application Development Life-Cycle - Design, Development, Quality Assurance,Deployment, Upgrade and Maintenance.
Main Principles are:
1. Risk Assessment - Knowing the Threats.
2. Risk Mitigation and Management - Securing the Network, Host and Application.
3. Designed-In Approach - Incorporating Security into your Software Development Process
4. Quality Assurance - Security Testing Techniques are applied to discover Security Holes in Applications. These Security Holes leave Applications open to be exploited. In our Cybersecurity Framework, Security Testing and tools are implemented throughout the entire ADLM (Agile Development Life Cycle Management) so that Security Holes can be discovered and addressed systematically and promptly. Security Holes and Vulnerabilities identified with White Box testing and Black Box testing are typically based on the OWASP Methodology (Open Web Application Security Project)
We Apply and Follow these OWASP:
a. OWASP Top Ten: identifies the most critical risks facing product development and organizations. The Top 10 Project is referenced by many standards, tools and organizations, including PCI DSS (Payment Card Industry Data Security Standard), Defense Information Systems Agency, HITECH and many more.
b. OWASP Software Assurance Maturity Model : Security Requirement, Security Review Environment Hardening tailored to the product and organization requirements.
c. OWASP Development Guide provides safeguards and guidance from SQL injection to DOS, user session handling and privacy issues.
Main Elements to Know and Monitor are:
1. Asset - Data in a Database
2. Threat - Anything that can exploit a vulnerability or destroy an Asset (i.e: Virus/Malware)
3. Vulnerability - A weakness in the Security Process that can be exploited by threats to gain unauthorized access to an Asset (i.e: A weak password)
4. Attack - An Action taken to harm an Asset (i.e: Phishing or DOS)
5. Mitigation - A Safeguard that addresses a Threat (i.e: proactively checking for a virus and eliminating it)