Interdependence of Cryptography and Applications Security, Research Paper Example

Introduction

In the recent times, due to development in the technology of network, there is a need to secure an application to get rid of the vulnerabilities, attacks and threats. This can be achieved by using some encryption processes like cryptography. Cryptography is the science of data security which concerns itself with the objectives like confidentiality, integrity, non-repudiation and authentication. So, to deal with security issues some best data access auditing practices should be implemented.

Data Access Auditing Practices

Auditing is an important component in a depth-approach to application security. The driving forces behind the need for the audit are privacy, integrity, confidentiality as well as accountability for the changes to that data (Gaylon,2006). To be effective, auditing must be implemented via methodological and repetitive processes. As the components of threat environment changes, a periodic review for the audit is necessary. The following are five specific activities of best practices for auditing.

Access and Authentication Auditing:

This determines who, when and how the application is accessed. It ensures that the application and the data are accessed only by authorized users and all their actions are tracked. The importance of this auditing is noted by industry and government regulators. PCI-DSS, COBIT and ISO 17799 specify the need to audit for access and authentication.

User and Administrator Auditing:

This determines the activities performed by user and the administrator. It is critical to reliability and success of the audit system and provides entire details of data access by the users (Gaylon, 2006).

Suspicious Activity Auditing:

This is to identify and flag any unusual, suspicious or abnormal access to the sensitive application data. It involves analyzing the data collected during the above two auditing processes (Gaylon, 2006). The regulations such as SOX, GLBA, HIPAA and PCI-DSS are all about stopping and detecting the misuse of the data.

Vulnerability and Threat Auditing:

This is to detect and monitor the threats in the database of the application for the users attempting to exploit them. These threats can occur at anytime from unexpected users. Best approach is scanning the application on a monthly basis. And for the real-time alerting on attacks, 24/7 monitoring system should be used.

Change Auditing:

This is to establish a baseline policy and then track the deviations from that baseline. It involves detecting the changes in the database structure and configuration. Also it allows the organizations to detect the changes made by automatic batch processes, patches, software updates and ad-hoc changes by users or administrators.

Regular auditing and protecting data should never be left to patch work solutions. Addressing all the aspects of data access auditing, Application Security, Inc (AppSecInc) provides a complete all-inclusive security solution (Gaylon, 2006).

SDLC Management

Software Development Life Cycle is a series of six phases that provide a model for the development and lifecycle management of an application. The intent of SDLC process is to produce an application that is cost-efficient, effective and of high quality.

The goal of a good SDLC process is to verify, capture and implement all the security needs to make the application useful. Thus security plays an important role in SDLC (James, 2013). This can be defined in two areas. One area is Security in the SDLC process and the other is Application Operational Security.

Security in the SDLC process:

To ensure that the security is built in the application development, security relative activities take place in each of the six phases (James, 2013).

Application Operational Security:

Decisions are made by the development team to add security controls to the application to ensure protections to confidentiality, availability and integrity. These controls may be administrative, physical or technical. Separation of duties is an example of the administrative control in the operations and maintenance phase.

In the Design Analysis phase of an SDLC process, there is a very high risk that the backup data can be lost. So in order to mitigate this risk, encryption in the form of cryptography is applied to backup the data (James, 2013). Here cryptographic encryption is an example of control that can reduce risk.

In the Testing phase, the security functions are tested to ensure the level of protection. The cryptographic method for the backup data is tested to make sure the encryption is not defeated and that the backup data can be restored according to the procedure.

Fundamentals Of DBMS

Database is a collection of related data files that are linked, integrated or cross referenced to one another. A database management system or database manager is a set of software programs used to create, edit, update and remove data from the database. Data in the database can also be stored and retrieved back. These systems are mostly used to manage customer information, personal records, inventory information, library information, membership and subscription mailing lists, accounting information and the data obtained from scientific research.

The advantages of a DBMS system are: improved availability, accuracy, minimized redundancy, program and file consistency, user-friendly and improved security. But, implementing a DBMS system is expensive and time consuming. Sometimes it is possible for some unauthorized users to access the database. These security breaches can also pose a threat to individual privacy. So, there is also a need to secure the DBMS and the application by using some techniques like cryptography (Bhavani, 2005).

It is the responsibility of the database administrator to determine access privileges for the users of the application. Solutions to the authenticity of the data can be determined by including cryptography and digital signatures. Cryptography can be used to detect as well as prevent security violations. In cryptography, the sender encrypts the data and transforms the plaintext message to cipher text and the receiver decrypts the received cipher text to plaintext message. Public key cryptography and private key cryptography are the two types of cryptography. Public key cryptography involves both public and the private keys. The sender encrypts the message with public key and the recipient can decode using the private key. In Private Key cryptography both the users have private keys. During the communication the key distribution center generates a session key which is sent in an encrypted form to both the sender and the receiver using their private keys (Bhavani, 2005). Thus the receiver can decrypt the session key using the private key in order to decrypt the actual message. Thus the cryptography helps in securing the database as well as the application.

References

• Bhavani Thuraisingham (2005). Database and Applications Security: Integrating Information Security band Data Management. Parkway NW, Boca Raton, Florida: Taylor and Francis.
• Gaylon N. Cox II (2006). Database Auditing Best Practices [White paper]. Retrieved from Application Security, Inc. Website: gayloncox.com/samples/db_auditing.pdf
• James E. Purcell (2013). Defining and understanding security in the Software Development Life Cycle [White paper]. Retrieved from SANS Institute Website: http://software-security.sans.org/resources/paper/cissp/defining-understanding-security-software-development-life-cycle