Definition for common business applications

2012-05-31T12:09:16Z

Andrew smart:

Applications can be categorized by the business functionality from an enterprise perspective and it can also be categorized based on how and where they run.

== Application categorization based on the business functionality ==

'''Business to Customer(B2C) Applications'''
These are in general customer facing applications. Most of these are web/browser based applications. It includes dynamic content based web sites. Some of these applications can be client based application that needs to be installed on customer's computing device (laptop/desktop).

Examples
* Ordering System
* Customer Support System
* Web sites providing product information
* Applets/Active-X lightweight clients
* Clients that gets installed on customer devices

'''Business to Business (B2B) Applications'''
These applications are used between business partners like suppliers, resellers etc. Traditionally these applications are accessed using dedicated lines between business partners. Lately many of these applications directly use Internet with security features such as VPNs. Many of these applications are based on SOA (Service oriented architecture) and leverage web-services.

Examples:
* Parts ordering and status system
* Bulk Order submission web service

'''Internal Applications'''
These applications are used within the organization (Intranet) and are not exposed/available outside the enterprise. These include web based applications as well as desktop applications such as email/IM.

Examples:
* HR Systems
* Internal Financial and ERP System
* IT Desktop support system
* Email clients

== Application categorization based on on how and where they run ==

'''Front-End Applications'''
These are the applications that interact with users through GUI such as browser, desktop client etc.

Examples:
* Order status checking system
* Email clients

'''Background Applications'''
These applications does not directly interact with the user. These are typically background processes and jobs.

Examples
* Background Order validation Job
* Nightly data Synchronization scripts

'''Services based Applications/Interfaces'''
Provides an integration point to other applications and systems. Web Services is widely used standard.

Examples
* customer data retrieval web service
* Google's SOAP Search API

[[Category:OWASP Application Security Assessment Standards Project]]
{{Template:Stub}}

== External Resources ==
'''[http://www.bizplancorner.com/ Business Plan Writer] | [http://www.bizplancorner.com/articles/22/business-plan-writers.aspx Business Plan Writers] | [http://www.bizplancorner.com/articles/1/business_plan_writing_service.aspx Business Plan Writing Service] | [http://www.bizplancorner.com/articles/24/business-plan-service.aspx Business Plan Service]'''

Business Justification for Application Security Assessment

2012-05-31T12:08:48Z

Andrew smart:

Today's enterprise and the end users have increasingly become dependent on IT applications. IT Applications (most of them are web based) allow customers/users to directly access personal and confidential information, encouraging self-driven model, decreasing business cost. Critical business functions are dependent successful functioning of the IT applications e.g. enterprise such as eBay, Amazon.com has most of their business dependent on their Internet facing flagship applications.

There is exponential increase in vulnerabilities found in Web Applications putting significant financial impact to the enterprise and privacy of the end users. Gartner's recent studies[1] shows that hackers are moving towards web application based attacks, 75% of total attacks now occur on Web applications. Systems and network administrators in last 5-10 years (end 1990s to early 00s) have achieved significant maturity on controlling OS and network level attacks. Strong OS hardening/patching procedures coupled with well managed firewalls provides sufficient surety to the business that these layers are secure and not easy to penetrate.

This is yet not true for applications, especially web applications. Web applications provide a logical tunnel from outside/Internet to the backend databases inside the enterprise. Web applications are complex piece of code with a mix of customized business logic, third party libraries, back-end database routines and integration to multiple other applications. Complexity increases potential points of failures. A recent study by penetration testers [2] shows that more than 95% of web applications have some sort of vulnerability.

== What pressures business is coming under?==

'''Compliance and Regulatory Needs'''

Sarbanes-Oxley for financial accounting, HIPAA for safe handling of medical records, Gramm-Leach-Bliley for privacy of customer and PCI to safely process and handle credit card information. List is endless. Achieving compliance to regulations imposed by government and industry is one of the top priorities for business. Compliance entails having strong security controls in your IT applications and associated processes. Security assessment helps to check compliances and in some case required.

'''Increasing Cost of Security Breaches'''

Cost of security breaches is increasing. It is not only loosing the customer confidence but enterprise may end up paying heavy penalties. Payment Card Industry (PCI) recently announced $50,000 fine per incident if cardholder data is compromised. ChoicePoint, lost information of 145,000 customers in 2005 and ended up spending $11.4 million in related cost.

'''Awareness of Users'''

Users have become much more aware and attentive towards the privacy, confidentiality and safekeeping of their personal information. Media has helped to create awareness. Comments like ".. I refused to enter my credit card information as I don't see the padlock [SSL] at bottom of my browser window..." are common.

'''What is there to lose'''

Ultimate question for business may be what is there to lose.

* Data, which may be the biggest asset in the enterprise
* Public Image and Confidence of Customers
* Availability of applications causing unplanned blackouts for business

We have talked about what are potential business impacts due to insecure applications. Application Security Assessment helps to figure out what are the weaknesses and potential issues in our web application. Helps business spend the security dollars where it is most required. And way to consistently keep our applications one notch higher than the attackers.

== References==

[1]. Gartner, Nov 2005 <http://gartner.com>

[2]. Studies from numerous penetration tests by Imperva <http://www.imperva.com/application_defense_center/papers/how_safe_is_it.html>

[[Category:OWASP Application Security Assessment Standards Project]]
{{Template:Control}}
[[Category: Control]]

== External Resources ==
'''[http://www.bizplancorner.com/ Business Plan Writer] | [http://www.bizplancorner.com/articles/22/business-plan-writers.aspx Business Plan Writers] | [http://www.bizplancorner.com/articles/1/business_plan_writing_service.aspx Business Plan Writing Service] | [http://www.bizplancorner.com/articles/24/business-plan-service.aspx Business Plan Service]'''

OWASP - User contributions [en]

Definition for common business applications

Business Justification for Application Security Assessment