UK Essays Services:

Free Help:

Common Business Applications

Losing millions of dollars because Bank of America's credit card database was vulnerable to a default login and password should just be a bad dream for the lonely security administrator and never the excuse you give the boss after finding out millions of dollars has been falsely charged to your customers credit cards.

Securing common business applications is one of the most important decisions any size company will ever have to make in the 21^st century. To fully understand the idea of securing common business applications we will discuss the different types of businesses and their common business applications. Next we will answer the question of why we need to secure common business applications and the common methods used to secure. The concepts behind securing business applications to include web, database, email, and demilitarized zone (DMZ) services will also be presented. Following up behind the current concepts of securing business applications we will examine today's trends of security as related to business applications. By examining Security Software Development Life Cycle (SecSDLC), we can understand the process and procedures used to secure common business applications along with the Enterprise Information Security Policy (EISP). Finally we will explore the roles of security in the future and predict the role of security related to business applications.

What types of businesses are out there?

What are common business applications?

Why do we need to secure common business applications?

What are the common methods to secure common business applications in each type of business?

What are the concepts of securing business applications for web, database, email, and DMZ server services?

What are the current trends in securing business applications?

What are SecSDLC and EISP?

What is the role of security in the future?

What is predicted about roles of security related to business applications for the future?

There are many definitions of a business but the most recognized is from Wikipedia.com. “Any legally recognized organizational entity which provides goods and services to consumers or a corporate group like governments, non-profit charities is a business. The quest of business is to earn a profit, to which most are privately owned to increase the earnings to the owners. The owners and operators of a business must generate a financial return in substitution of work and potential accepted risk.” ("Business" Wikipedia) Because a business needs to accept some risk, security is enacted to ensure the business survives those risks. Some types of businesses might include,

“…Manufacturers, service businesses, retailers and distributors, agriculture and mining, financial businesses, information businesses, utilities produce public services, real estate businesses generate profit from the selling, renting, and development of properties, and transportation businesses deliver goods and individuals from location to location…” ("Business" Wikipedia)

What ties these kinds of business together? As you will see in the next paragraph it is all about the departments in which the business uses to complete their needs.

What do all of these different types of business have in common? The department that maintains and operates the overall business units on a continuous scale is what makes all of these businesses alike. For instance, the accounting department is a very vital function in any business. This makes sense when businesses earn profit - accounting has to tack it those monies. “The financial reporting, financial controls and the raising of the capital necessary to run the business” is what makes almost every business similar. ("Business" Wikipedia) Other departments or functions of business could include human resources department, marketing, sales, operations, production, customer service, procurement, purchasing, research and development, information technology, communications, and administration. ("Business" Wikipedia)

As you can see there are many specific functions businesses need to have in order to operate. Each function needs some kind of computer application resource to use. Without securing those applications the business jeopardizes its profits. In the next section we will discuss the types of business applications that each department might use or encounter as part of the daily work cycle.

The kind of common business applications we are talking about in the above sections “can be categorized by the business functionality from an enterprise perspective and it can also be categorized based on how and where they run.” ("Definition for Common Business Applications")

The business faces many different kinds of applications. These types of business applications can be separated in two different categories, 1) business functionality and 2) how and where they run. ("Definition for Common Business Applications")

Business to Customer (B2C) applications are customer related applications. These types of applications are also considered client-end applications. For instance, web browsers, plug-ins, operating systems, web sites that provide the end user product information. Simply put B2C applications usually have to be installed on the customer's computer or device. ("Definition for Common Business Applications")

Business to Business (B2B) applications are just that, they provide communication between two or more businesses like sharing supplier information for incoming and outgoing shipments. Separate and dedicated communications are usually established between partner businesses and they utilize the B2B applications to access and exchange information. Web based content and services are mainly the platform in which B2B applications are run. Ordering systems, status systems, and tracking systems are the main functions of B2B applications. ("Definition for Common Business Applications")

Lately, internal applications are how a business conducts their day-to-day operations using their Intranet. An Intranet is not accessible to external devices or business partners in most cases. The human resources, financial, helpdesk support are types of functions that would normally be utilizing the internal applications. ("Definition for Common Business Applications")

The second category of applications used by business is denoted by how and where the application runs. Front-end and background applications are two different places where B2C, B2B and internal applications run.

Front-end applications usually interface via graphical user interface (GUI) like a web browser, desktop/laptop client. Some examples would include ordering systems (B2C application), email services (internal applications), and tracking database applications (B2B). ("Definition for Common Business Applications")

Background applications do not directly interface with the business and/or customers. These are considered processes and tasks that run independently and support a front-end application. Some examples would include shipping validation process, financial data transfers, and helpdesk ticket center management tasks. ("Definition for Common Business Applications")

Common business applications are necessary in each department of a business along with their placement and how they work. Separating each business application by its functionality and where it works helps with configuration management and how we should secure those applications from malicious use. So why do we need to secure common business applications? As these types of common business applications increase in industry standardization and become more widely used the stronger our security implementation will have to be. Next we will discuss reasons for securing common business applications. Hackers and crackers (external threat), malicious employees (internal threat), organized crime, business competition, stolen data, identity theft, data breach, hijacked personal information are just some of the ingredients needed to support reasons why we should secure common business applications.

In an article by Ray Martin called “Preventing Identity Theft”, he explains how consumer fraud is the most common complaint in the United States. “Last year, more than 750,000 Americans had their identities hijacked -- including high-profile victims like Oprah Winfrey and Tiger Woods.” (Martin) “It costs the average victim more than $1,000 to clean up the mess left by identity thieves, according to the Federal Trade Commission.” (Martin) Some alarming facts pointed out in Martin's article include,

Hijacking of personal information comprised 42 percent of 204,000 fraud complaints in 2007.

A 23 percent jump of identity theft was reported by the Federal Trade Commission in 2000.

Now we can see there is a very serious threat but wait there is still much more to support reasons for securing common business applications. One of the most respected reports on the information technology highway is “The 2008 Data Breach Investigations Report”. This study was conducted by Verizon Business Security Solutions investigation team and included over four years and over 500 forensics investigations of 230 million records. ("Findings of the 2008 Data Breach Investigations Report") Below are some of the highlights of the report.

“73 percent of breaches resulted from external sources”

“18 percent from insider threats”

“39 percent of breaches were attributed to business partners”

“62 percent of breaches were attributed to significant internal errors”

“59 percent were the result of hacking and intrusions”

“39 percent were aimed at the application or software layer”

“23 percent were specifically meant for business applications not operating systems”

“90 percent of vulnerabilities exploited had patches available for six months prior to breach”

“Nine of 10 breaches involved some type of unidentified systems”

“75 percent of all breaches were discovered by a third party”

“Retail, food and beverage businesses were more than half of all cases studied”

“Financial businesses were 14 percent of all breaches”

("Findings of the 2008 Data Breach Investigations Report")

This is more than enough reason to secure common business applications. Since this report also mentions that many more intrusions resulted in a sophisticated attack vector verses a single action by the intruder, not only is the common business application being targeted the security posture of the business is under fire as well. As indicated above there were more intrusions originating from outside the business than inside the business which points to again the cleverness of the attacker compared to an insider who already has physical access. As these statistics demonstrate the lack in proper patch management, we can also determine that the software development life cycle is not being implemented with full effect. ("Findings of the 2008 Data Breach Investigations Report")

Hackers and crackers (external threat), malicious employees (internal threat), organized crime, business competition, stolen data, identity theft, data breach, hijacked personal information are the reasons why we need to secure common business applications now!

Now with an understanding of why we must secure common business applications we will discuss common methods used to secure common business applications. META Security Group wrote a white paper in 2002 called, Protecting Web-Based Applications. In this white paper META describes how “many organizations have the critical issue of developing those secure business applications” (META Security Group)…the high-level solution would include some common ways to secure business applications in a smart architecture such as,

Securing the infrastructure, components, and application would be how to ensure common business applications are safe from threats and increased risk as you continue business operations.

Begin with securing the infrastructure which includes border routers, zoned routers, internal routers and switches. These are functions of how your network will be routed and switched throughout the company and if needed throughout by the world. Components also need to be secure. Firewalls, intrusion detection, intrusion prevention, operating systems, databases, email, instant messaging, servers, and other common functions of a business component level architecture need to be secured. As the infrastructure and components within the infrastructure are being placed in trusted and non-trusted zones you will start the last cycle of securing those common business applications. Securing applications would include secure programming practices for languages like Java and Perl, and specific application-level security controls such as application firewalls. (META Security Group)

Common mistakes the META white paper points out include a…”common theme throughout the security industry which is most security activity has emphasized on securing the information technology infrastructure.” (META Security Group) There is no debate that without assigning and implementing a secure infrastructure and network component(s) you cannot have secure business applications. Incorporation of all three phases is needed to ensure secure business applications.

“Making certain the application itself is protected is as important as protecting the base infrastructure. Primarily, application-level security is achieved by using secure coding practices to create appropriately hardened applications. Nevertheless, even in smaller businesses, it is difficult to ensure that all application developers are sufficiently trained in secure coding practices, procedures, and techniques which must be kept up on new vulnerabilities. In larger businesses, it is a challenge.” (META Security Group)

The common methods to secure business applications might rely heavily on “secure coding practices” (META Security Group), but if you do not secure your infrastructure along with business applications you are inviting intruders right in. Include each phase into how business applications are secured and the result will reduce risk and reduce overhead in the long run, as this helps avoid vulnerabilities. As we get better with business application security we start changing the industry trends in how business applications are processed. Next we examine a key trend in business applications and security - digital signatures.

B2B and B2C applications rely on evolving trends in securing business applications as technology increases with complexity and as malicious attackers continue to violate security principles. Digital signatures are a cornerstone in how businesses and governments conduct their day-to-day tasks. Keeping the core CIA (confidentiality, integrity, and availability) principles enforced will enable processes to continue without interruption.

A very interesting trend today is how we use and implement digital signatures. Parag Shiralkar and Bindiganavale S. Vijayaraman, from the University of Akron, have identified many trends in business. Most important is the use of digital signature. Shiralkar and Vijayaraman work in the management department which utilizes digital signatures everyday for business functions. In their report, “Digital Signature: Application Development Trends In E-Business”, they talk about applications of…“digital signature technology and the rise because of legal and technological developments, along with strong market demand for secured transactions on the Internet.” (Shiralkar and Vijayaraman)

The study of current trends of digital signature requires a relative study via various forms of business indicators “that the majority of digital signature applications have been developed for the Business-to-Business (B2B) mode of e-business…Governments and the potential for their rapid growth in the Business-to-Consumer (B2C) mode of e-business” is also a very strong trend of today. (Shiralkar and Vijayaraman)

“Digital signature technology involves encrypting messages so only genuine parties are able to read the message. Two divided but interrelated keys carried out this process of encryption and decryption. One party in the communication holds the secret key, or the private key, and the other party holds the public key. Shiralkar and Vijayaraman explain that digital signatures satisfy all functions, such as authenticity, non-repudiation, and security of a hand-written signature. A signature can be viewed as a means of authentication and can be owned by an individual electronically. This technology must be verified or approved by a third party in order to handle the liability issues that may be raised by bilateral transactions.” (Shiralkar and Vijayaraman)

The trend began with the Utah Digital Signature Act which introduced the concept of a Certifying Authority (CA). CA is any organization that acts as a trusted third party. Many other states implemented very similar digital signature acts and/or had some association with security and online authentication which was added to their state laws. These “technologically neutral acts” (Shiralkar and Vijayaraman) were promoting business applications in all its modes such as “business-to-business (B2B), business-to-consumer (B2C), and business-to-government (B2G) functions.” (Shiralkar and Vijayaraman)

As we evolve the digital signature, don't be surprised if you start digitally signing your name on everything, including when you get in your car and turn the key. Securing business applications as technology increases with complexity will increase and improve the use of the digital signature and move the trend into the next decade. In our next section we will discuss the Security Software Development Life Cycle (SecSDLC) and Enterprise Information Security Policy (EISP).

After discussing the different types of businesses and their common business applications, why we need to secure common business applications, common methods used to secure them, and concepts of securing business applications, we will now explore how it can all be done to produce a secure business application. Adhering to the accurate process from the beginning is how a good business application is produced. The Security Software Development Life Cycle (SecSDLC) is the methodology used to take each business application and secure, implement, and maintain that application throughout its life cycle. Understanding the process and procedures used to secure common business applications is what the SecSDLC and Enterprise Information Security Policy (EISP) is all about.

Based off of the Systems Development Life Cycle (SDLC), the SecSDLC is comprised of six phases,

Investigation

Analysis

Logical design

Physical design

Implementation

Maintenance and change

“The stages are part of a progressive model in which each phase begins with the result and information gained from the last phase. The investigation phase inspects the current status of your businesses information security. The analysis phase consists of documenting your businesses information assets and associated threats, as well as legal requirements involving information security. The logical design phase creates and/or develops your information security plans while the physical design phase develops the particular technologies needed to apply the logical design. Implementation puts into practice what is determined in the physical design phase, and the maintenance and change phase includes life time testing and modification of the security system.” (Meador)

Investigation - With new information you begin at the investigation phase of the SecSDLC. Internal examination of your security and applications will reveal the common information system practices which should result in documenting the types of hardware and software used for security purposes. The current policies if any should be looked at in the investigation phase as well as the kind of protection and/or current controls of applications on the network. Daily activities that should be considered while in the investigation phase are things associated to server backups of critical data and applications software. Key role and responsibilities should be identified and agreed upon before the investigation phase competes. Lastly a budget or funding needs to be produced and investigated to reach a total cost set aside to accomplish the end result which is implementation and maintaining the business applications. (Meador)

Analysis - Your investigation phase would have concluded with a list of assets and threats or risk to them which are now going to be compared in the analysis phase of SecSDLC. Threats might include viruses and without virus protection your assets will be at risk. (Meador) Identifying those issues in the phase will ensure your business applications are safe and coded with proper handling instructions as to handle specific threats.

Logical design - Creating the information security program will be the goal of the logical design phase. To start this phase off you will establish an information system policy or policies that senior management endorses and enforces. Defining the network behavior allowed and disallowed based off of your analysis phase will assist in policy design. “All users should be forced to sign an acknowledgement of and agree to follow the information security policy, also known as acceptable use policy.” (Meador) The logical design phase also includes functions to create solutions to identified problems of the previous two phases. For instance, if you have publicly facing web servers, ensure you recognize the threat of possible intrusions. To detect and defeat this type of threat include a firewall as in the logical design.

Physical Design - After you have identified all of the logical design aspects and put into policy the dos and don'ts, the physical design phase is responsible to enact the results. Plan of actions and course of actions should be developed that call out specific technologies, techniques, and procedures to solve each issue of your information system(s).

Implementation - All of the plans made in each phase before implementation will be executed. The over arching plan should include deliverables and the step-by-step instructions to complete deliverables include the person(s) responsible for the action item. Control in this phase is very important because making a mistake here will defeat each process used to get to the implementation phase.

Maintenance and change - throughout the lifetime of the business application in question for the SecSDLC this phase will never end until the program is decommissioned. (Meador) This phase includes functions like penetration testing, vulnerability assessments, and patch management. (Meador) As new technologies are infused into the overall information systems you will have to ensure maintenance and change phase is always up-to-date.

The SecSDLC is a very vital part of the common business application and should be executed with utmost diligence. When considering the impact of mismanaged SecSDLC to the bottom-line of your business, you do not want to make a mistake here. Cover the enterprise with the right kind of security. Due diligence is mandatory.

Ensuring the Iowa Department of Administrative Services had properly enacted an enterprise wide security policy Governor Thomas J. Vilsack implemented an Enterprise Information Security Policy (EISP). (Anderson) The EISP is used to create an atmosphere within an organization that upholds the system security, availability, data integrity, and individual privacy by preventing unauthorized access to information and information systems. This kind of policy outlines authorities and responsibilities to which users of the information system must recognize. (Anderson) Maintaining the EISP will ensure new technologies are not misused or abused. Every organization with an information system(s) network should have an EISP covering the entire organization and setting the tone for good security practices. (Anderson)

The SecSDLC and EISP are foundations of practice that will be engraved in security trends for a very long time. But what is the role of security in the future? Next, a few ideas of what to expect security to look like in the near future and a prediction of the role of security as related to common business applications.

Security in no way will get easier, in fact some believe the worst case scenario is occurring right now. Security in the future will change, but what are some predictions of security as related to business applications in the future? An article written by Scott Berinato, CSO magazine executive editor, explains the future of security,

“There's no need to imagine a worst-case scenario for Internet security in the year 2010. The worst-case scenario is unfolding right now. Based on conservative projections, we'll discover about 100,000 new software vulnerabilities in 2010 alone or one new bug every five minutes of every hour of every day…security incidents worldwide will swell to about 400,000 a year, or 8,000 per workweek. Windows will approach 100 million lines of code, and the average PC, while it may cost $99, will contain nearly 200 million lines of code. And within that code, 2 million bugs. By 2010, we'll have added another half-a-billion users to the Internet. A few of them will be bad guys, and they'll be able to pick and choose which of those 2 million bugs they feel like exploiting. In other words, today's sloppiness will become tomorrow's chaos.” (Berinato)

In regards to role of security in the future, I think we can expect our applications to become more vulnerable, which will lead to eventual reformation of our current security practices. This of course increases the role of security. Current business applications will have to be written better, checked more often and deployed more securely. The idea of how security will play such a larger role in the future is not a new idea. In fact, Watts S. Humphrey founder of the Software Process Program of the Software Engineering Institute (SEI) at Carnegie Mellon University is seen as the innovator who will bring security back into applications. (“Biography - Watts S. Humphrey”)

Mr. Humphrey has been recognized as having the “blueprint for a security reformation that will enable a new software development process that changes the governance and structure of software engineering to favor security.” (Berinato) This process is “called Team Software Process (TSP) and Personal Software Process (PSP).” (Berinato) The future role for security related business applications will come in a fundamental rules change. Business applications will be written, deployed, and patched all at the same time. This idea does come with some cost. An uphill battle as Scott Berinato explains…“Individual companies make, buy and deploy software to gain a competitive edge, even as the networking of that software degrades security for everyone. There's no incentive for any single company to improve security for everyone, especially if doing so threatens the company's competitive position and wealth.” (Berinato)

Some believe that the role of security in the future as related to business applications will be something more extreme. Since the openness of the Internet and software development resulted in such vulnerable results the only conclusion is the idea of creating applications to block access. (Berinato) Authentication applications as well will be the big boom which “the federal government will mandate that users must authenticate their identity to access the Internet itself, a sort of digital passport system for entering cyber-country.” (Berinato)

“Enforcement of the government's security policy will come from broad, ubiquitous surveillance, both visual monitoring and keystroke logging. The adaptation of cheap wireless gadgets like RFIDs will make the tracking of people and things simple, cheap and inevitable. Some people, perhaps the majority, will accept this as the price that must be paid to avoid another digital Pearl Harbor. Others will rue what the lockdown has wrought: an utter lack of privacy, a digital iron curtain descending upon innovation, economic stagnation, and social calcification. Big Brother will arrive fashionably late, but arrive he will. Security and privacy will become dominant themes in the elections of 2010 and 2012.” (Berinato)

No matter what predictions on how security will play a role in common business applications, we already know today that common business applications are used and they are vulnerable. We know there is a responsibility to secure those applications. The time is now before the wrong intrusion set occurs and you are left with a knotted up ball of string some might call your business application.

Securing common business applications is one of the most important decisions any size company will ever have to make in the 21^st century. We discussed the different types of businesses and their common business applications. Then we answered the question of why we need to secure common business applications and what the common methods are to secure those applications. Describing some of the concepts behind securing business applications to include web, database, email, and demilitarized zone (DMZ) services helped understand what is included in the securing of business applications. In examining Security Software Development Life Cycle (SecSDLC), we understood why the process and procedures are used to secure common business applications along with the importance of an Enterprise Information Security Policy (EISP). Lastly we explored the roles of security in the future and some predictions of security roles related to business applications.

Works Cited

Anderson, Mollie K. Iowa. Director's Office. Iowa Department of Administrative Services. Enterprise Information Security Policy. 28 Jan. 2005. 14 June 2008 <http://www.iowa.gov/standards/documents/IowaEnterpriseSecurityPolicy050128.pdf>.

Berinato, Scott. "2010: the Future of Security." Chief Information Officer Magazine. 15 Dec. 2003. CSO Magazine. 14 June 2008 <http://www.cio.com/article/32033/_The_Future_of_Security>.

"Biography - Watts S. Humphrey." Software Engineering Institute Carnegie Mellon University. 2008. Carnegie Mellon University. 14 June 2008 <http://www.sei.cmu.edu/tsp/watts-bio.html>.

"Business." Wikipedia. 14 June 2008. Wikimedia Foundation, Inc. 14 June 2008 <http://en.wikipedia.org/wiki/Business>.

"Definition for Common Business Applications." Open Web Application Security Project. 3 Aug. 2006. 14 June 2008 <http://www.owasp.org/index.php/Definition_for_common_business_applications>.

"Findings of the 2008 Data Breach Investigations Report." Net-Security.Org. 11 June 2008. Net-Security.Org. 14 June 2008 <http://www.net-security.org/secworld.php?id=6213>.

Martin, Ray. Preventing Identity Theft. CBS News. New York: CBS News, 2002. 14 June 2008 <http://www.cbsnews.com/stories/2002/05/21/earlyshow/contributors/raymartin/main509691.shtml>.

Meador, William J. "Securing a School Network." Techlearning.Com. 1 Mar. 2005. East Carolina University. 14 June 2008 <http://www.techlearning.com/showArticle.php?articleID=60401696>.

Protecting Web-Based Applications. META Security Group. META Security Group, 2002. 1-7. 14 June 2008 <http://www.cgisecurity.com/lib/ProtectingWebBasedApplications.pdf>.

Shiralkar, Parag, and Bindiganavale S. Vijayaraman. "Digital Signature: Application Development Trends in E-Business." Journal of Electronic Commerce Research os 4 (2003): 94-101. 14 June 2008 <http://www.csulb.edu/web/journals/jecr/issues/20033/paper2.pdf>.

We provide a professional essay writing service that thousands of our customers use as an effective way of improving their grades, improving their research and saving them lots of time.