Time
2 hours 23 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:01
Hello and welcome back to I t Security policy here on Sire Eri.
00:06
We're gonna start out Module five applications security policy
00:10
with myself, Troy Lemaire
00:13
The learning objective of this one is looking at the requirements of the application
00:19
policy
00:20
Pacific and we're gonna look at web application policy. It is the only
00:25
policy that is within this module.
00:32
So if we look at the way of application security policy at the Sands template that's provided
00:38
Web application vulnerabilities account for the Lord's portion of attack vectors outside of malware.
00:44
Purpose of the policy is to define Web application security assessments within the company.
00:49
Web application assessments are performed to identify potential are realized weaknesses as a result of inadvertent Miss Configuration
00:57
Week authorization,
00:59
insufficient error handling,
01:00
sensitive information leakage, et cetera.
01:04
Discovery and subsequent mitigation of these issues will limit the tax surface of the camp.
01:11
But before we get into the scope of this policy, if you look at Web applications, those are built on different types of server systems in the U. S. Is there built on different type with different types of languages. And so those are the ones that have multiple weaknesses that come out and what hackers look at to try to break into the most.
01:32
You're
01:34
systems, where the operating system is totally available to the outside world as an example, is pretty much hardened down by the system of the operating system providers, where the applications are something that is done by the actual programmers. And if they're not using good type of programming, they could
01:53
ah
01:53
created weakness within your organization.
01:57
So the scope the policy covers all Web applications. Security assessments requested by any individual or group or department for the purpose of maintaining the security posture, declines, the risk management and the change control of technologies in use at the company.
02:13
All Web applications security assessments will be performed by delegated security personnel either employed or contract it by the company.
02:20
No findings. They're considered confident going to be distributed to persons on a need to know basis and the reason wise. If you do have a security assessment, you don't want that made available to everybody because they're now you're taking the information that is your weakness within your organization and submitting it to people that don't need to know that and could use it in some way to affect your organization.
02:40
The last paragraph Any relationships with multi tiered applications found during the scoping phase will be included in the assessment, unless explicitly limited
02:50
limitations and subsequent justification will be documented prior to the start of the assessment.
02:59
So in summary today, we looked at the application. Security policy
03:01
is specifically the Web applications security policy and its requirements.
03:07
Web applications are subject to security assessments based on the following criteria, and this is our first application security policy. Recap question
03:16
and the answer is new or major application releases.
03:21
Third party are acquired. Web Application
03:23
Point Releases Patch releases, Emergency releases
03:28
All security issues that discovered during assessments must be
03:32
Nance. That one would be mitigated
03:38
in our next lecture. We're gonna look at a course recap. Since this was our last match module within this I t security policy training, we'll go over everything that was covered with in this training course.
03:50
Russians a clarification.
03:52
It's a very message me user name at Troy Lemaire and thank you for attending the cyber retraining

Up Next

Introduction to IT Security Policy

Introduction to IT Security Policy, available from Cybrary, can equip you with the knowledge and expertise to be able to create and implement IT Security Policies in your organization.

Instructed By

Instructor Profile Image
Troy LeMaire
IT Security Officer at Acadian Ambulance
Instructor