Showing posts with label Application. Show all posts
Showing posts with label Application. Show all posts

Monday, June 25, 2012

Application Owner vs Information Security fun#2 - on Web Application Firewall


I presume most of us as a security pro have heard of Web Application Firewall (WAF). It is not a new technology, but only few enterprises have seen the benefit and have the technology implemented within their infrastructure. I hope this story could shed more light on the benefit of having one and assist you in expediting your decision making process in getting a WAF :)

Information Security lad:  During our security review, we noticed that you have decided not to include WAF as an additional protection layer for your web application. Although it is not a mandatory policy in our company, we strongly suggest to have your web application protected by WAF, as your web application is internet facing and will be handling important e-commerce transactions. Moreover, as you are offering 99.99% availability to your customer, you may want to have extra layer of protection to support this commitment. New attacks could be easily mitigated by the WAF as its signatures are updated on daily basis. I do know that our IT Supplier has a very good WAF team there.

Application Owner dude: Thank you for your suggestion... I don't see the need of it right now. We already have multiple layer of protections in place. We have firewall and Intrusion Prevention System (IPS) in front of the web application. Furthermore, we have done security assessment and pen-test during our application development cycle and we have got a clean bill of health there. I believe your team did some security tests as well and found no weaknesses. The application is just robust.... Anyway, I don't really have extra budget....

Information Security lad: Well... if you insist and understand the risk, we won't stand in your way. We will approve this RFC.

5 months later.....

Read more »
Posted by at No comments:
Labels: ,

Wednesday, May 9, 2012

Application Owner vs Information Security fun#1 - data flow security


Have you ever met an old stubborn mainframe guy that just can't think outside of his archaic box? I bet you did. This is a story about this guy I met sometimes ago..... (My friend Adriano called them "The Dinosaur". BTW, if you time, you should check out his piece on this.)

Application Owner dude: We are using mainframe and we have tight ACL in place. No one can access the data inside. It's a very secure environment. I don't see any security issues here... That web interface is just a front-end for customer to see their order status...We developed this one ourselves and manage the user accounts. It's not even open to public or guest, by the way....

Information Security lad: Well... we see that there are other internal applications interfacing with this mainframe as well. How do you ensure these interfaces are secure?

Application Owner dude: Again. As I have said and stressed for so.... many times. We have strong and tight ACL in place. Those interfaces are connecting to our mainframe with their own credentials and we make sure they can only access their part of data... <* keep bragging about how fantastic ACL works on Mainframe *>

Information Security lad: <* I need to do more to than just talking to this guy to show him that ACL alone is not enough *> We going to run some test.....

Application Owner dude: Go ahead lad... No one ever broken into our mainframe before. I'll bet my every pint of beer on that.

Read more »
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)