Most enterprise applications handle sensitive data. Securing these applications is therefore essential to prevent data disclosure and minimize the associated risks (financial loss, damage to corporate image, etc.).
And there's a lot to be done to secure these applications: authentication, user lifecycle, password policy... What are the best practices for strengthening application security? How can you gain visibility over your applications by mapping your information system? We take a closer look with François Devienne, Head of Operational Security at OverSOC.
1. Strengthen authentication
Protect the login/password pair
"Authentication is the gateway to all of a company's services, whether internal or external: office automation tools, business software, development data, and so on. It is therefore essential to always check that authentication is properly implemented, to protect company data to the full", explains François Devienne.
Even a highly complex password, generated by a password generator and stored in a secure container, does not provide 100% protection. Despite this, the login/password pair can be stolen, published or resold for phishing purposes.
Favoring dual authentication applications
So how do you protect the login/password pair? By adding an extra layer of security with dual authentication, and if possible, using OTP dual authentication applications (without storing tokens in a drive) rather than sending SMS (because of possible SIM card replication).
2. Manage user lifecycle
Implement identity and access management
Onboarding and offboarding employees is not just a HR function. From the point of view of IT teams, the arrival and departure of employees are also key moments, as they affect identity and access management. The moment of departure is a particularly sensitive one, as it involves revoking the access rights of departing employees. The objective? To have as exhaustive a record as possible of access to individuals.
Opt for single sign-on (SSO)
"SSO (Single Sign-On) authentication enables centralized access to different solutions. This provides IT teams with centralized identity and access management. When a member of staff leaves, all they have to do is deactivate their account to revoke all their access", explains the RSO.
3. Managing password policy in Active Directory
Implement a password policy in AD
"Managing your password policy in the DBA is also one of the best practices for strengthening application security," asserts François Devienne. In concrete terms, this means defining the number of characters, the frequency with which passwords are renewed, and the period during which users can authenticate themselves without needing to use the MFA.
Adapt security rules to user groups
How can we take password management even further?
" By splitting the populations (users / administrators) and defining different security rules for each group. We can, for example, reinforce security rules for administrator accounts, or decide that MFA is not required when users connect to the office, but is mandatory when they connect remotely."
4. Keeping your fleet and applications up to date
Systematize updates
Regularly updating your applications and operating systems is one of the reflexes you should adopt. "The more up-to-date your installed base, the less vulnerable it is. Reducing the number of entry points into the information system is an essential part of application security", notes our RSO. Here again, various tools (EDR, CMDB, vulnerability scanning) can be used to track operating system versions, so that servers and machines can be updated as necessary.
Safeguarding the most critical assets
And what to do in the case of an asset that can no longer be updated, for example if the publisher no longer allows it? "In such cases, network zones (VLANs) can be redivided to isolate and protect assets that cannot be updated. This gives us even greater control over who can access them and how," explains François Devienne. The aim is always the same: to minimize the range of exposure to risk.
5. Use secure connections
Prefer TLS 1.2 protocol
The IT department has full control over internally-hosted applications, and can therefore secure their connections.
"Connection to applications (whether in an internal IS or on the Internet) must always be secure, with https-type protocols and with TLS 1.2 a minimum."
The special case of "old" applications
But there are other cases too. Some older applications still use http connections, with data passing through in cleartext. How do you secure access to these applications? " Add security measures and shells around these applications," adds François Devienne.
What is the link between application security and information system mapping?
The question of application security is linked to that of security in the broadest sense. Securing an information system requires an exhaustive, detailed, up-to-date and real-time view of the various elements that make up the IS.
And this is precisely where mapping comes in. By correlating and aggregating data from a variety of sources (EDR, CMDB, vulnerability scans, hypervisor, etc.), mapping reduces the grey areas associated with Shadow IT and gives teams a complete picture of their IS.
Mapping your information system allows you to categorize the most critical assets, add contextual data, highlight application vulnerabilities and prioritize corrective measures. It thus helps teams to maintain an optimum level of security for their applications, both from a purely technical angle (verifying access, correcting application vulnerabilities, etc.) and from a governance point of view.
Would you like to gain greater visibility of your applications to enhance their security? Contact us at.
