Breaking Down the Walls Between Application and Infrastructure Security

I wrote earlier about the need to expand the focus of information security programs beyond infrastructure to incorporate application security components. It’s difficult to bridge these disciplines in part because the people responsible for applications and infrastructure often reside in different groups. Also, the security skills related to developing and maintaining applications differ from those related to systems and networks.

Here are my recommendations for breaking down the walls between application and infrastructure security:

  • Unify application and infrastructure security responsibilities under the leadership. If this is impractical in your organization, at least look for informal ways for the two teams to collaborate.
  • Include application and infrastructure components in your penetration testing projects. Attackers will probably look for both types of weaknesses when looking to penetrate your defenses; mimic this behavior when conducting your security assessments.
  • Include application logs as part of your log management or SIEM efforts. Incorporate security alerting and logging specs into your application development requirements to support this.
  • Understand the role that your critical applications play in supporting business objectives. This may involve learning more about your organization’s business and will involve reaching out to non-techie business owners.
  • Incorporate both application and infrastructure-related steps into your incident response plan. Too often, organizations focus on only one of these disciplines when preparing to deal with security incidents.
  • Understand which application and infrastructure components affect the sensitive data that flows through your organization. This knowledge will help you understand security dependencies, so you know where to focus protective efforts.

Without somehow bringing infrastructure and application security disciplines together, you will probably spend more money on security than necessary or will focus your funding on the wrong risks.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more