I wrote earlier about the need to expand the focus of information security programs beyond infrastructure to incorporate application security components. It’s difficult to bridge these disciplines in part because the people responsible for applications and infrastructure often reside in different groups. Also, the security skills related to developing and maintaining applications differ from those related to systems and networks.
Here are my recommendations for breaking down the walls between application and infrastructure security:
- Unify application and infrastructure security responsibilities under the leadership. If this is impractical in your organization, at least look for informal ways for the two teams to collaborate.
- Include application and infrastructure components in your penetration testing projects. Attackers will probably look for both types of weaknesses when looking to penetrate your defenses; mimic this behavior when conducting your security assessments.
- Include application logs as part of your log management or SIEM efforts. Incorporate security alerting and logging specs into your application development requirements to support this.
- Understand the role that your critical applications play in supporting business objectives. This may involve learning more about your organization’s business and will involve reaching out to non-techie business owners.
- Incorporate both application and infrastructure-related steps into your incident response plan. Too often, organizations focus on only one of these disciplines when preparing to deal with security incidents.
- Understand which application and infrastructure components affect the sensitive data that flows through your organization. This knowledge will help you understand security dependencies, so you know where to focus protective efforts.
Without somehow bringing infrastructure and application security disciplines together, you will probably spend more money on security than necessary or will focus your funding on the wrong risks.