A decade of infrastructure and network hardening has pushed hackers up the technology stack to exploit application security vulnerabilities as the easiest entry to your critical business systems.
Gartner formulates this as, “perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting”.
However, the IT industry in general has not matured its application security capabilities. Application security is for many vendors and organizations still a secondary concern, until a security or data breach in their systems is detected. However, companies can no longer afford this approach, as the EU General Data Protection Regulation imposes substantial fines on data leaks of personal information.
NNIT is responding to this challenge by launching an Application Security Health Check Service.
"With the increased focus on security, the evolving threat landscape, and the risk of substantial fines in the event of a data breach, securing business applications has become vital for any company."
Application Security Health Check Service
The purpose of the Application Security Health Check Service is to conduct a comprehensive assessment using a holistic approach in order to assess if the application in question is:
- Secure by Design
- Secure by Implementation
- Secure by Configuration
Secure By Design
Has the application been designed to counter threats against the confidentiality, integrity, and availability of the data it processes?
Secure by Implementation
Has the application been implemented in accordance with secure coding best practices and using only approved third-party components and libraries?
Secure by Configuration
Has the application been configured and deployed according to the principle of least privilege in order to minimize the attack surface that can be exploited by an attacker?
The service is tailored for companies with development teams that are challenged by the increasing security demands imposed by the evolving threat landscape and the EU General Data Protection Regulation.
The output from the service is a health check status that describes the detected security vulnerabilities and the risks that they pose to the application and its data, along with the recommended mitigation strategies.
The following sections describe the key activities in the Application Security Health Check Service. However, the service can be tailored to meet your business needs.
The first activity in the service is to conduct a stakeholder interview in order to clarify the scope for the health check along with the application’s data classification, security requirements, and key business concerns.
Based on the input from the stakeholders, threat modeling is carried out in order to determine if the application design adheres to the security requirements and to uncover any design weaknesses that can be exploited by an attacker.
A workshop is conducted using the threat model as a collaborative tool in order to engage the development team in a dialog about potential design weaknesses and improvement opportunities.
A code review of the critical security controls in the application is conducted along with an evaluation of any third-party components and libraries used in order to assess if secure coding best practices have been adhered to during development.
Web interfaces are subjected to a combination of automated and manual penetration testing, as they are a preferred attack vector for cyber criminals.
Risks & Recommendations
The security vulnerabilities uncovered during the threat modeling, code inspection, and penetration testing activities are rated based on the risks that they pose to the security of the application, the data it processes, and the business that relies on it; the findings are consolidated into a final report, along with recommendations about how to mitigate each detected security vulnerability.
Who are we?
The NNIT Application Security Team consists of highly skilled professionals, specialized in designing, implementing, and testing applications with critical security and privacy requirements. It is on that solid foundation in application security that we have condensed the pertinent knowledge of best practices into the Application Security Assessment Service.