This week focuses on application security. This is an interesting dilemma. Let's say we have well maintained and managed operating systems. We watch our logs, and know what is coming in and out of our network. We even know what devices and software are on our network. However, what do we know about some of those applications? How do those apps work? Do they have patches, what about security flaws? Many of these questions need to be answered for off the shelf products. It gets even more interesting when we begin to consider home grown products.
I used to work for a company that had an in house software developer. He would take care of most of the behind the scenes database work as well as the main business analytics pieces. All of that to say he was creating code that gathered data which in turn ran the business. SANS's recommends that software have a development life cycle. In other words, much like hardware or other off the shelf products, a plan needs to be in place. We state that we are creating a piece of software for a task and we plan on how to implement it and take it out of the enterprise. This also means knowing what pieces of software are developed in house, and who is responsible for them.
I will be honest; I don't have a lot of experience with this. However, it is clear to me that having software developers involved in ongoing education and being a part of a community of practice would help a lot. In the end, people need to understand what is going on and have a process in place. This should ensure that an account can be made of all locally developed products.