Application Security: How It Works

The term application security summarizes the processes, tools and methods used to protect your applications against external cyber-attacks, as well as unauthorized access and attacks from within. It is vital that the measures you set protect your applications against external and internal threats and abuse throughout the duration of their lifecycles. IT security experts recommend taking measures both on the software and hardware levels.

Oh, brave new world! Do you remember the time when cyber security meant protecting static websites and desktop applications? Today, most organizations deploy a colorful mix of third-party and open-source systems and standard software components, alongside other types of applications (e.g. desktop, web, mobile, microservices). These programs are usually accessed via networks, which inevitably exposes them to all sorts of threats.

Most businesses allow not just their users to access the data that is managed within these applications, but also grant access to business partners, suppliers and other relevant parties.

Such a slack approach to data management can quickly turn into an exploitable weakness. If important systems such as SAP or Microsoft® Dynamics NAV are not sufficiently protected, you’ll have internal and external perpetrators walking all over you.

First off, application security is a malleable concept that should be discussed and defined as part of an ISMS (Information Security Management System). Those in charge should create a security profile for each application that is used in the company and precisely define the role of this application with regard to the company’s resources: What is the application allowed to do, what is it not allowed to do?

Another measure to combat data abuse and other security risks is to compile a threat model. This involves identifying and prioritizing potential threats to the company’s resources and might include anything from a broken storage medium to large-scale hacker attacks. All incidents as well as any actions taken in each case must be sufficiently documented.

The most common approach to safeguarding application security is the installation of firewalls. Firewalls are designed to prevent certain applications from executing files or processing data. Other useful and common measures for improving application security include:

One striking issue that recrystallizes each time a data incident occurs is the misconception that the greatest threat to sensitive data emanates from cyber criminals – when in reality employee data theft poses a much greater security risk, as organizations tend to either overlook or ignore it entirely. However, by investing in a professional access management strategy, this risk can be significantly mitigated.

Managing users and access rights for different systems and programs manually instead of centrally poses a great threat to application security, simply because admins have no way of maintaining a good overview of who has or needs which rights. They will happily assign rights to users as needed, but not revoke them once they are obsolete. This is the main problem with manual user management.

Example: take Ms. Williams, for instance, an employee of Organization X. She is given new rights because she switches from HR to the Sales Department, where she needs access to other folders and programs. However, the rights she had in HR are not revoked. She simply gets to keep them – even though she does not need them anymore.

Or Mr. Peterson, a colleague of Ms. Williams in Sales. He joins a big project which he needs additional rights for. Once the project finishes, however, his extra rights are not revoked either.

Reference users are another way of providing users with more privileges than they need. These actions combined lead to what is commonly referred to as a privilege creep.

Organizations who rely on manual user administration often have a problem with endpoint security, which usually ensures that malware such as trojans or keyloggers are unable to spread throughout the system.

These types of malware commonly find their way into systems via phishing-Mails, zero-day exploits or other vulnerabilities in applications that allow remote code execution. The more rights the compromised user account has, the faster and wider the malware can spread throughout the system.

Access management or identity and access management software constructs all necessary privilege structures automatically and in accordance with best practices and the principle of least privilege. The result is that the access rights each user receives are tailored precisely to their job description.

tenfold can further be integrated with more than 60 third-party systems, including SAP ERP, Microsoft® Dynamics NAV, Exchange, and more. Other external systems for which there is no individual plugin available can be integrated via the Generic Connector.

Once installed, you can simply import existing infrastructures to tenfold. Furthermore, there is an additional interface to the personnel database available which ensures that HR data is imported automatically to tenfold and that new user accounts are also created automatically, including the appropriate permissions.