Identifying Potential Software Architecture Issues


To avoid a range of potential problems when implementing an application, it's a great idea to be proactive and evaluate the security of an application before it's purchased or written. A key aspect of this process is to talk to vendors at length about their products so that you can do a thorough evaluation of them and make solid recommendations to the potential application owners as to which product would be the best from a network configuration and security standpoint. The trick is knowing what information to get from the vendors and how to get it.

Software Evaluation Checklist

Many people who work in information security are involved in the process of choosing enterprise software solutions. When you are talking with software vendors or application developers, you might be unsure what questions you should be asking. Following is a list of questions that can help you evaluate the security of application architectures. Besides these general questions, ask specific questions related to your environment and security policy:

  • How will this application interact with the rest of your environment? With what other resources on your network, or other networks, will it work? Do special requirements exist that have security implications; for example, does the application's host need to be a member of the same Windows domain as other servers?

  • Who will be using this application: external or internal users or both? Who will be administering or updating this application: external or internal users or both?

  • What network protocols will be used, and what ports will need to be open? In which direction will the traffic flow, and which components will initiate the connections?

  • If network traffic should be encrypted, does the application perform that encryption? If so, what encryption algorithm choices are available? Are these industry standards or proprietary methods? If encryption is not available, can the traffic easily be "wrapped" in a VPN-style application or protocol that can provide adequate encryption?

  • Does this application work with your current network security and network configuration (that is, proxy servers, firewalls, NAT)?

  • Does security seem to be a fundamental part of the product or an afterthought? Does the vendor incorporate good security practices into its product design? When a security flaw is found, does the vendor act quickly to inform its customers and release a patch?

  • Does the vendor have security-related deployment recommendations? Does the vendor supply default architecture recommendations? Will the vendor support the application if you deploy it in a different architecture than what is recommended?

  • Is this application consistent with your network security policies?

Sources of Application Information

It's often helpful to test a working demo copy of the product. Sometimes this is not possible due to the complexity of the application, but in some cases it's trivial. If possible, install a demo of the product and look at its behavior. Another option is to talk to other organizations running the software to find out what problems they have encountered involving security or application architecture. This can give you a different point of view and provide valuable information that you cannot find elsewhere.

When you are attempting to evaluate the security of a product that you don't have access to, you have to rely primarily on the vendor for information. Don't be afraid to ask detailed technical questions and demand specific answers, preferably in writing. Don't settle for a general assurance that an application will work in any environment, because this simply isn't true. Every environment is different, and vendors certainly can't be expected to create a product that is going to work in each one. In addition, look for other sources of information on the security of the productreviews, security advisories, and the like.

Just the Facts, Please

I've been in many meetings with vendors where I asked fairly simple technical questions and received very vague answers. For example, during a product demonstration, I asked a vendor which firewall ports would need to be opened. The vendor said that some would need to be and that we could work all that out during final implementation. Obviously, that is not an acceptable answer. Insist on getting specific answers to your questions to prevent problems for both sides in the future.


How to Handle an Unsecurable Application

At times, an application's characteristics are such that you feel it cannot be deployed with sufficient security in your environment, or it clearly violates your organization's security policy. You have a few options at this point: replacing the application, modifying it, or deploying it with less than ideal security. In the latter case, you and the application owners will need to discuss the severity of the security issues and the risks of deploying the application.

If the application owners are considering replacing or changing the application, they need to consider the time and resources necessary to make that happen. Of course, they should also consider security more strongly during product selection or modification so that other security or network problems do not occur again.



    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net