However, an equally important application security discussion must be had about how applications should consume security services within our organization. For example, do you have good answers for these questions?
- How should authentication of users be performed?
- If the application will be accessed by non-employees how will authentication be performed?
- Are there non-user based communications that the application uses (like a back-end RPC) and how/when should these be authenticated?
- In what cases is stronger authentication necessary?
- How should authorization within the application be performed?
- Is there a standard set of enterprise roles that the application should be consuming?
- How do we prevent applications from each developing their own silo of authorization information?
- Do we have a standard way of logging events? Do developers know which events should be logged?
- Do we have standard libraries for authentication, authorization, encryption and so on?
I could go on and on. I see so much focus on the first part of application security and not enough on the second. Yet.
My belief is that we’re still in the middle of performing essentially triage with our vulnerable applications and getting more secure code produced/procured and that once this is under control, the second part of application security will become a priority.