Web and Enterprise Application Controls
With high-profile data breaches announced every day, a growing number of compliance initiatives now mandate application controls. These initiatives were enacted to address both external attacks and insider threats. Regulations such as PCI DSS, SOX, and HIPAA require application controls as a means to protect data confidentiality and integrity. Enterprise applications including SAP, Oracle EBS, and Peoplesoft are subject to regulatory compliance requirements focused on insider threats.
The following application controls will satisfy most regulatory compliance requirements:
Protect Web Applications Against Known Attacks
Organizations should fortify public-facing Web applications with a Web Application Firewall (WAF). A WAF automatically detects and blocks attacks before any damage can occur. A WAF provides continuous protection—not just after a scan, fix and test cycle—and fully satisfies PCI DSS requirement 6.6. A WAF should prevent the OWASP Top Ten list of Web security risks, block both known and custom application attacks, and virtually patch application-specific vulnerabilities.
Securing and Auditing Key Enterprise Applications
Businesses store sensitive financial, personal and operational data in enterprise application databases. Faced with increased security risk and regulatory scrutiny aimed at this data, organizations are looking to improve security and demonstrate compliance without impacting application performance and availability. A comprehensive solution for access control, activity monitoring and auditing and vulnerability assessment should be application aware and minimize the performance and operational impact on enterprise applications.
Follow Secure Web Application Development Best Practices
Implementing application code according to security best practices can effectively reduce the number of vulnerabilities in Web applications. Secure Web development is an important way to fortify applications and satisfy multiple federal and industry regulations including the PCI DSS and the Massachusetts Data Protection Act. Used in conjunction with a Web Application Firewall, a Database Firewall, vulnerability scanning, and code review, secure Web development offers a comprehensive defense in-depth strategy.
Apply Latest Vendor Supplied Security Patches
To ensure the most up-to-date protection against vulnerabilities, organization should install security patches to critical systems and applications. Security patches protect critical assets from published and easily-exploitable vulnerabilities. Database and Web vulnerability assessment tools can help organizations discover unpatched systems and manage and prioritize patch updates. Integrating database assessment with a database firewall enables virtual patching of vulnerabilities—sometimes even before a vendor patch is released.
Generate Pre-Defined and Custom Compliance Reports
Security and auditing reports document regulatory compliance. Out-of-the-box reports should demonstrate how application controls have been implemented, while custom reports offer unique views tailored to individual business requirements. Flexible graphical reports, as well as real-time alerts and audit analytics tools, enable organizations to easily understand and present security and compliance status.
|Web Application Security|
CIO, Intuition Systems