However, an equally important application security discussion must be had about how applications should consume security services within our organization. For example, do you have good answers for these questions?
- How should authentication of users be performed?
- If the application will be accessed by non-employees how will authentication be performed?
- Are there non-user based communications that the application uses (like a back-end RPC) and how/when should these be authenticated?
- In what cases is stronger authentication necessary?
- How should authorization within the application be performed?
- Is there a standard set of enterprise roles that the application should be consuming?
- How do we prevent applications from each developing their own silo of authorization information?
- Do we have a standard way of logging events? Do developers know which events should be logged?
- Do we have standard libraries for authentication, authorization, encryption and so on?
I could go on and on. I see so much focus on the first part of application security and not enough on the second. Yet.
My belief is that we’re still in the middle of performing essentially triage with our vulnerable applications and getting more secure code produced/procured and that once this is under control, the second part of application security will become a priority.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.