Information security is on everyone's lips. But what does "information security" mean when developing or purchasing applications? How can the attack vectors in software be minimized, thereby improving the stability and security of applications?
What exactly is "application security"?
"Application security" is the applied information security applied to applications, i.e. broader in terms of content and measures than the "pure" security of software. An "application" is an IT solution (software, data, procedures) that maps, realizes and automates a business process or a requirement for a business function is mapped, implemented and automated. Here The security model basically assumes a secure and "invulnerable "invulnerable" infrastructure. - Information security for infrastructures (network, operating system, etc.) is a different matter.
"Application Security" can be addressed for different target groups. The management (executives, management, managers), the deployment and operating units, buyers, suppliers, auditors and users, suppliers, auditors and users.
The principles of application security are as follows:
- Safety is a fundamental requirement
- Application security is contextual
- Appropriate use of application security
- Application safety should be verifiable be
What are the individual components of application security?
First of all, the scope of the application security application security must be defined. The context of business, regulations and technology plays a decisive role.
In addition, there is the life cycle of an application "Application Lifecycle" in the form of the application processes. Finally, the data, specifications and roles/rights in the application. These building blocks can be as a map of the application.
The principles of information security CIA (confidentiality, integrity and availability) are supplemented in application security by authentication and non-reputation.
Table 1: Application Security Scope ISO/IEC 27034
| Business Context | Regulatory Context |
| Application life cycle processes | Processes involved with the application |
| Technological Context | Application Specification |
| Application Data | Organization and User Data |
| Roles and Permissions |
The "business context" reflects all requirements, practices and specifications (e.g. restrictions) of the business areas in the company. The "regulatory context" relates to laws, guidelines and regulations, as well as agreed common rules. These have an influence on the functionality and use of the data in the application. This applies, for example, to the risks in personnel administration due to the laws in the various countries in which it is used.
How can a high standard ofapplication security be achieved?
Ultimately, the individual steps of the application security lifecycle should be iterative and regressive. The highest quality "Design & Concept" plays a decisive role here.
Studies and experience from development projects indicate a factor of 1:3 or 1:4 for the rectification of failures from the design or concept in the maintenance and monitoring phase. The selected controls, i.e. the individual measures derived from the application risk assessment, should be adapted to the residual risk. This means that "higher risk" leads to other and possibly a higher number of measures.
What happens next?
In the next few publications, we will look at the individual steps of an application security lifecycle. From requirements analysis and application risk management through to the operation, maintenance and decommissioning of the application.
November 30, 2022
Dr. Gerd Grimberger
Legal IT specialist
