Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Thought for Friday: The Two Sides of Application Security

by Neil MacDonald  |  February 5, 2010  |  1 Comment

One of my major areas of research is in application security, helping clients to change their development (and procurement!) processes to deliver more secure code. This is imperative.

However, an equally important application security discussion must be had about how applications should consume security services within our organization. For example, do you have good answers for these questions?

  • How should authentication of users be performed?
  • If the application will be accessed by non-employees how will authentication be performed?
  • Are there non-user based communications that the application uses (like a back-end RPC) and how/when should these be authenticated?
  • In what cases is stronger authentication necessary?
  • How should authorization within the application be performed?
  • Is there a standard set of enterprise roles that the application should be consuming?
  • How do we prevent applications from each developing their own silo of authorization information?
  • Do we have a standard way of logging events? Do developers know which events should be logged?
  • Do we have standard libraries for authentication, authorization, encryption and so on?

I could go on and on. I see so much focus on the first part of application security and not enough on the second. Yet.

My belief is that we’re still in the middle of performing essentially triage with our vulnerable applications and getting more secure code produced/procured and that once this is under control, the second part of application security will become a priority.

1 Comment »

Category: Application Security     Tags:

1 response so far ↓

  • 1 Deborah Volk   February 5, 2010 at 3:41 pm

    I am all for renaming “identity and access management” back to “application security”. After all, security has been in vogue since 2001 and anything with the word “management” scares developers.