The CISSP exam covers 10 domains, one of which is application security. Application security pertains to application structure and the security mechanisms used to govern application access. In order to pass the CISSP exam, you'll need to know about software architecture, programming concepts, data interfaces and more. This section of The CISSP Study Guide offers resources and expert advice on enterprise application security best practices. After reviewing these resources, test your knowledge of enterprise application security by referring to our enterprise application security quiz, written by CISSP All-in-one Exam Guide author Shon Harris.
Spotlight article: Domain 6, Application and System Development
Applications and systems are the technologies closest to the data enterprise security teams try to protect. This CISSP Application and System Development Domain 6 article details how applications and systems are structured, what security mechanisms and strategies are commonly used to secure data during access, processing and storage, and also touches on some of the most common enterprise application security threats and countermeasures.
Database application security: Balancing encryption, access control
Database applications are often the epicenter of a company's most sensitive data, so database application security is essential, but maintaining a balance between security and business use can be tricky.
In this tip, Andreas Antonopoulos discusses encryption strategies for database applications and offers some best practices for database application security, most notably how to protect sensitive data and establish a balance between strong encryption and appropriate access control.
PCI DSS Section 6: A plan for tackling application security
Among the Payment Card Industry (PCI) Data Security Standard's 12 requirements is a mandate for Web and application security, PCI DSS Section 6, which specifically calls for merchants and credit card issuers to "develop and maintain secure systems and applications."
In this tip, security expert Joel Dubin explains why the PCI DSS Section 6 requirements are important and offers advice on how an enterprise can comply with the mandate.
SANS Top 25 Programming Errors list: Enterprise application security best practices
Project managers and developers need to ensure application code doesn't include any errors, and code reviewers need pay particular attention dangerous and emerging application vulnerabilities. The CWE/SANS Top 25 Most Dangerous Programming Errors list, which is published every year, can be a great tool for anyone involved in developing computer software.
In this tip, learn how the SANS Top 25 Programming Errors list can provide a great application security best practices checklist outlining the most likely areas where coding errors result in a potential application vulnerability.
Vulnerability test methods for enterprise application security assessments
Many security managers are frequently tasked with handling a huge portfolio of potentially insecure applications. Since applications are a favorite target for malicious attackers looking to infiltrate corporate defenses and steal enterprise data, security managers need to ensure applications undergo security assessments to identify vulnerabilities.
This tip explains what to do when an enterprise has a huge portfolio of potentially insecure applications and limited resources with which to assess them. It also reviews the enterprise application security assessment process by outlining the techniques used to review applications and comparing and contrasting strategic paradigms for application assessments.
Targeted source code reviews reduce software security vulnerabilities
Software flaws have been the route that hackers have followed to achieve many expensive online thefts, including the SQL injection attacks that led to the highly publicized credit card breaches at Heartland Payment Systems Inc.
In this tip, you will learn how targeted source code reviews can reduce software vulnerabilities and how VARs and resellers currently offering software products such as static and dynamic software scan tools can further assist their clients by providing source code review services.
Balancing security and performance: Protecting layer 7 on the network
According to a recent SearchSecurity.com survey of nearly 900 IT professionals, 80% of networking and security pros are concerned about application-layer threats.
In this lesson, application security expert Michael Cobb offers an overview options for securing application-layer traffic using network security technologies, architectures and processes, including Layer 7 switches, firewalls, IDS/IPS, NBAD and more.
Return to the CISSP Study Guide.
About the author
Shon Harris, CISSP, MCSE, is the president of Logical Security, an IT security consulting and training company. She is a former engineer in the Air Force's Information Warfare unit, an instructor and the best-selling author of the previous three editions of this book. Shon has taught computer and information security to a wide range of clients, including RSA, the Department of Defense, the Department of Energy, the National Security Agency and many more.