Gartner Blog Network

Thought for Friday: The Two Sides of Application Security

by Neil MacDonald  |  February 5, 2010  |  1 Comment

One of my major areas of research is in application security, helping clients to change their development (and procurement!) processes to deliver more secure code. This is imperative.

However, an equally important application security discussion must be had about how applications should consume security services within our organization. For example, do you have good answers for these questions?

  • How should authentication of users be performed?
  • If the application will be accessed by non-employees how will authentication be performed?
  • Are there non-user based communications that the application uses (like a back-end RPC) and how/when should these be authenticated?
  • In what cases is stronger authentication necessary?
  • How should authorization within the application be performed?
  • Is there a standard set of enterprise roles that the application should be consuming?
  • How do we prevent applications from each developing their own silo of authorization information?
  • Do we have a standard way of logging events? Do developers know which events should be logged?
  • Do we have standard libraries for authentication, authorization, encryption and so on?

I could go on and on. I see so much focus on the first part of application security and not enough on the second. Yet.

My belief is that we’re still in the middle of performing essentially triage with our vulnerable applications and getting more secure code produced/procured and that once this is under control, the second part of application security will become a priority.

Category: application-security  

Tags: application-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Thought for Friday: The Two Sides of Application Security

  1. Deborah Volk says:

    I am all for renaming “identity and access management” back to “application security”. After all, security has been in vogue since 2001 and anything with the word “management” scares developers.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.