Skip to main content

Application Security

This is huge subject with many facets and application security is a common discussion due to the importance in protecting the business.

The protection of applications and associated data is critical for the success of an organisation. Cyber-crime is a huge industry and will attack organisations of any size – it is often the case that exploiting just one vulnerability can open the doors to further wide-ranging malicious actions, ultimately resulting in severe damage to the confidentiality, integrity, and availability of data. In the best case will cause severe financial impact (corrupt data, compliance violation fines, loss of customer trust) and in the worst case can cause business ruin. In the most catastrophic case, a malicious cyber-attack can cause loss of life.

Information security is the practice of protecting systems / information by mitigating risks. The risk management process identifies risks, the likelihood of being exercised and the impact that it will cause. Its then a business decision to decide how to address the risk – such as avoid, mitigate, share, or accept. This will be an iterative process, so that the results of ongoing monitoring are fed back into subsequent cycles of the process.

Network security is example of controls that may be implemented to mitigate against various known attack vectors. Application security often involves discussion around networking such as firewalls / gateways / load balancers – and ensuring the infrastructure is locked down from certain types of attacks.

Application Security is a subset of InfoSec focussing on the needs of the software engineer / developer audience . It includes measures taken to improve the security of an application often by finding, fixing, and preventing security vulnerabilities. Microsoft has guidance, tooling and services to help make sure application security / code scanning is automated and baked into DevOps in a pervasive manner.

Application configuration secrets (e.g. database connection strings, API keys) must be locked away from malicious attack or accidently being leaked – Azure Key Vault provides hardware security modules that can help ensure such values are protected safely.

https://github.com/features/security
https://aka.ms/waf
https://aka.ms/sdlc

TechTalk Video