Approved for 1 CompTIA CEU: A+, Network+, Security+, Cloud+, Cybersecurity Analyst (CSA+), and CompTIA Advanced Security Practitioner (CASP); 1 GIAC CPE
Since the volume of applications evolve daily, the opportunity to attack important data will be gravely impacted at rapid speeds. Historically application security was addressed in a reactive approach. This leaves room for threats to already infiltrate the Department Of Defense network. It is important for the future of application security to be addressed in a proactive manner. While implementing this solution, the challenge is not only defining the balance between securing applications running on the network, but also being functional enough to complete our job effectively. How secure is secure enough?
During this session we will discuss the prior application vetting resolutions and the lessons learned which evolved from them. What has been done in comparison to what can be done better? The feasibility of completing the challenges such as, upfront security approaches, robust sustainment processes, and a measureable way to relate secure application practices to functional working objectives.
The first step will be to define what elements make up a secure network as we know it today. Currently, there are application vetting processes in place and mobile threat detection is on the horizon. These are just a few ways to identify and protect against network vulnerabilities. For application vetting, static code analysis, dynamic analysis, and network analysis are performed and weighted based on the level of risk involved. Mobile threat detection exploits various application behaviors as they are on mobile devices.
The second step will be to define and prioritize what is meant by functional applications. What is the objective of accessing various applications? Mission oriented applications that are required to perform a job, yet by doing so, this opens up our network for security vulnerabilities. For example, guidance doesn’t permit enabling gps, but this may be necessary for the mission.
The third step requires looking at the aforementioned parameters and brainstorm proactive approaches to meeting these needs. What currently concepts are implemented today that can not only identify these security flaws, but also invoke actionable approaches to controlling these vulnerabilities? Is there a future in embedding security parameters during application development that would shape a more secure application? How can we automate security approaches that improve these applications on a consistent basis?
The fourth step is defining a process for standardizing this approach. (a)Prioritize security vulnerabilities against mission objective. (b) integrate automated approaches to implementing this concept (c) follow through with documenting and refining the process with anticipation that application will increase in volume and security sophistication.
In summary, by addressing these 4 steps, the user community as well as the cybersecurity side can work together harmoniously to complete the overall task of effectively supporting our warfighters.