Thursday, January 16, 2020

Implementation Of The Scalable And Agile Lifecycle Security For Applications (SALSA)

SALSA framework is a revised version of security approaches that were previously implemented in detection of security defects within web applications. In this case, SALSA framework will be implemented in monitoring of attack vectors that hinder appropriate application of operations. Further, ways in which stable situation of application system can be maintained after attack will be discussed. A system known as automated build has a great influence in SALSA framework’s operations since it necessitates a continuous practice once areas with attack vectors are fixed. There are also a couple of benefits that SALSA framework is recognized to possess which are mainly based on its overall effectiveness in monitoring attack vectors. IMPLEMENTATION OF THE SCALABLE AND AGILE LIFECYCLE SECURITY FOR APPLICATIONS (SALSA) Introduction SALSA is an approach that has the capability of checking attack vectors as well as keeping them through their cycle of development. SALSA approach is produced from the combined effort of two information technology organizations; SANS and the other Intrinsic Security. The design of SALSA is similar to development methodology that is already in existence. This contributes to its efficiency since minimal guidance is needed in order to operate it, as its implementation is very interactive. SALSA implementation can be carried out in conjunction with several other security tools in order to bring desirable results. In comparison to SDL, which is almost similar security approach that mitigates security errors within lifecycles of Web applications, SALSA is different as it provides more security practices. These additional practices are cost effective which enables them to be used in all lifecycle areas including development. SALSA frame facilitates solutions that are measurable as well as automatic and has the capability of being incorporated in development software that already exist in an organization. However, SALSA application is not aimed at taking the place of organization’s methodologies but to influence the way organizations make considerations of security within the applications’ environments as well as their management. Cockbum, 2008) Scalable and Agile Lifecycle Security for Applications (SALSA) Framework to Assist In Monitoring Attack Vectors on Applications Attack vectors constitute all application interfaces that are exposed which have shown need for continuous monitoring in order to protect them from being attacked. When attack vectors are not updated and managed accordingly, they are normally endangered by security threats that are constantly evolving due to great technological advancements. Attack applications that are already exposed have the possibility of being loaded with security threats directing computers connected with internet to dangerous sites known as malware. The process can also follow a reverse direction where malware may be directed to those computers connected to internet. This is dangerous to applications since they will become susceptible to defects which are discovered by end users. This is likely to affect the trust that a user may have previously developed towards a certain organization’s applications. (SALSA, 2009) In the present situation a technique that analyses attack surfaces and is recommended by SALSA will be applied regularly in order to enable uncovering of security threats during applications. This will form the first step which will be undertaken by developers as they carry out planning process in the course of application lifecycle. The checklist used will portray all worst practices that have any relevance to attack vectors attraction, which will be banned. They will be replaced by best practices including standard directory for this particular application whose applications are being managed as well as updated. Design documents will also undergo some adjustments where the name of a customer will be needed to accompany his/her security number as part of application details, which is contrary to previous situations where only security number is requested. This will provide more identity details for applicants, which will make it easy to identify worst sources. Since design phase fails to provide appropriate opportunities to enable automation, security checklists that make use of standard baseline will be of great importance. It will address this inefficiency by including some additional rules in the process. These rules point out that it is not necessary to provide sensitive data in one’s records such as numbers of social security as their provision may expose the data accidentally to parties that were not supposed to have its access. Another additional rule that will be included in automated security checklist is that applicants who must give details of their security numbers should consider encrypting when storing them in databases in order to avoid possible accidental exposure. In case security defects are detected in particular application phases, SALSA will encourage developers to conduct a review of design being implemented as well as its definition. Threat modeling, which is constituted in SALSA framework, will be conducted after some time in order to arrange application items in order of priority in terms of the ones that need immediate fixing and those requiring a later fixture. (Howard, 2009) After worst practices are detected and banned, the appropriate ones will take their place within applications. This is because it is the worst ones that act as vector attack sources and when monitoring using checklist is conducted leading to their removal, it will eventually reduce their attack vectors. Once appropriate security practices that do not show susceptibility to vector attacks are put in place, they need to be maintained such that they are kept up to date all through applications development cycle. Their maintenance will avoid cases of consequent attacks, which will involve identification of new practices that will appear during applications and are important to avoidance of attack vectors. The practice of analyzing attack surfaces will be integrated as one of design tasks within application design phases. Each phase within application lifecycle will have distinct security checklists, which will be incorporated in the maintenance and updating process. This will enable consistent checks for every interaction which is contrary to what takes place in SDL where securing checking is conducted on occasional basis. (Chess, 2007) Fixing of appropriate practices, that are not susceptible to attack vectors within application lifecycle will be followed by integration of the same security practices within automatic version of checklist. This will necessitate improvement of security of software in use where automated checking will be applied to both intra and extranets that comprise of sensitive data. An automated system will be able to conduct security checks for attack vectors automatically throughout application development. This process will continue as a routine during the entire lifecycle of this application. The practice of automated build will constitute several elements including limits of both complexity as well as metric measures. Several utilities included in the application software’s codebase will have a likelihood of producing metrics such as JavaNCSS. Other types of utilities like complexity number of Cyclomatic will be capable of producing complexity estimates of application software modules in use. These two measurements are of great importance to managers of this particular application project since they will be able to know when design review is required. For instance, in a case when software modules portrays high ratings of complexity. This is because the more complex a module for checking attack vectors is, the more difficult its maintenance process becomes. Complexity will result to a situation where accidental security errors will occur to coding during application development. These assessments will undergo automation in order that alerts are generated at the instance a module is found to exceed appropriate levels at which checking for attack vectors will be conducted. This will call for an immediate review of application’s design before complexity situation leads to a break down of the entire application. (SANS, 2009) Another constituting element of automated system will be code analysis which will also be in automated form. This involves analyses of codes from application sources using different languages in order to detect some errors whose failure to detection will cause adverse security implications. This kind of analyses is essential since once the distinct tools are identified in various languages, it becomes easier to apply them in application of automated system where attack vectors are checked. This will in turn reduce attack vectors and also improve overall quality of codes used in attack vector detection practice. Unit testing that is also automated will follow the analyses of automated code. This will necessitate a situation where automatic tests will be performed on areas where worst practices that have attack vectors are replaced with appropriate practices to avoid consequent attacks. This practice of testing will be conducted automatically since it is clear that consequent attack vectors are capable of causing security consequences that are unintended. These security consequences may involve data exposure in cases when application modules have already crashed. In cases where such attack vectors will be encountered, their attack surfaces will be replaced after which automated tests will be created to avoid similar breakdowns in future. Automated system also comprises of automated packaging, which will assist in configuration of entire application system. Automation of packaging practice will mitigate the number of human errors that may introduce attack vectors within application systems during its actual installation time. The practice of automated packaging will sum up implementation of SALSA framework in monitoring of attack vectors. (Howard, 2009) Benefits of the SALSA Framework SALSA framework that is normally based on a unique element known as automated build has a number of benefits which are also taken as its advantages over other approaches that were implemented in almost similar applications previously. Among its benefits is a situation where it has the capability of overcoming scalability challenges which requires automated build. The continuous protection provided by SALSA framework results to sustainable security that is accompanied by improvement of application system quality. Costs incurred in fixing software once it has broken down due defects such as those caused by attack vectors are reduced considerably since consistent checks are conducted to ensure that the system does not break down. Integration costs are also reduced a great deal since SALSA framework is made available in an already integrated form which do not need additional integration for it to work. SALSA framework reduces the possibility of human error occurring within lifecycle of applications for attack vector monitoring. Efforts required in actual verification of security standards as well as reduction of security defects like attack vectors, are also reduced. All these benefits of SALSA framework give it preference above other approaches in security applications. (Howard, 2009) Conclusion It is clear that; SALSA framework is a very effective and efficient approach that is applied in various security applications for websites. The main objective under which SALSA framework operates is continuous checking of security defects like the one under study. SALSA framework will be expected to give very good results in checking of attack vectors as well as maintenance of a situation that is free from attack vectors. The various elements of automated build will have a great contribution towards attainment if this situation as they will ensure a consistent operation throughout the lifecycle of this particular application. (Chess, 2007)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.