An Applications View on Security

By Peter Coffee  |  Posted 2004-12-13 Print this article Print

Finding balance between business benefit and information risk is getting harder.

When information warfare experts want to set the proper base line for whats "secure," they point out that the only completely protected machine is one thats disconnected from the network and preferably turned off. Application development security begins from an equally useless zero point: The only completely secure application is one that accepts no input from the outside and offers no access to data.

Everything beyond that null-and-void level of IT system function demands a balance between business benefit and information risk. That balance is getting more difficult to define, let alone achieve, as the expectations of application users rise while the risk environment becomes continually more dynamic.

Two factors intensify the hazards facing enterprise development professionals. First, the growing dominance of Web-enabled applications exposes developers finished products to a vastly larger army of attackers. Second, the rapid development cycles of customer-facing or supply-chain-partnering software mean that most new code is never really finished at all.

"People are continuously updating the code—theres no way to do a full code review," said John Dickson, a partner in Denim Group Ltd., a development consultancy based in San Antonio. "Youd have three or four reviews every week."

Click here to read Peter Coffees Dec. 8, 2003 column, "The Right to Safe Upgrades". Past development practices—with almost seasonal cycles of code specification, design, development and review—do not have a sterling reputation for producing secure results, but at least they presented only a few discrete points each year at which new vulnerabilities might be expected to appear. The continuous development of a Web site—or the kaleidoscopic, continual reshuffling of Web services constellations—must fundamentally change the security posture of the enterprise development team.

Security must be built into applications from the lowest level upward, rather than applied as a hard outer shell, because a focus on perimeter security ignores the fact that many intruders are already on the inside.

In fact, more than 80 percent of companies have detected system penetrations of internal origin, according to data compiled by insurance brokerage and risk management company Arthur J. Gallagher & Co., in Itasca, Ill. This means that applications performing their normal function, at the behest of authorized internal users, must be viewed as dwelling in hostile territory rather than in trusted environments.

Next Page: The front door is open.

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel