5.1 Application Policy

00:01

Hello and welcome back to I t Security policy here on Sire Eri.

00:06

We're gonna start out Module five applications security policy

00:10

with myself, Troy Lemaire

00:13

The learning objective of this one is looking at the requirements of the application

00:19

policy

00:20

Pacific and we're gonna look at web application policy. It is the only

00:25

policy that is within this module.

00:32

So if we look at the way of application security policy at the Sands template that's provided

00:38

Web application vulnerabilities account for the Lord's portion of attack vectors outside of malware.

00:44

Purpose of the policy is to define Web application security assessments within the company.

00:49

Web application assessments are performed to identify potential are realized weaknesses as a result of inadvertent Miss Configuration

00:57

Week authorization,

00:59

insufficient error handling,

01:00

sensitive information leakage, et cetera.

01:04

Discovery and subsequent mitigation of these issues will limit the tax surface of the camp.

01:11

But before we get into the scope of this policy, if you look at Web applications, those are built on different types of server systems in the U. S. Is there built on different type with different types of languages. And so those are the ones that have multiple weaknesses that come out and what hackers look at to try to break into the most.

01:32

You're

01:34

systems, where the operating system is totally available to the outside world as an example, is pretty much hardened down by the system of the operating system providers, where the applications are something that is done by the actual programmers. And if they're not using good type of programming, they could

01:53

ah

01:53

created weakness within your organization.

01:57

So the scope the policy covers all Web applications. Security assessments requested by any individual or group or department for the purpose of maintaining the security posture, declines, the risk management and the change control of technologies in use at the company.

02:13

All Web applications security assessments will be performed by delegated security personnel either employed or contract it by the company.

02:20

No findings. They're considered confident going to be distributed to persons on a need to know basis and the reason wise. If you do have a security assessment, you don't want that made available to everybody because they're now you're taking the information that is your weakness within your organization and submitting it to people that don't need to know that and could use it in some way to affect your organization.

02:40

The last paragraph Any relationships with multi tiered applications found during the scoping phase will be included in the assessment, unless explicitly limited

02:50

limitations and subsequent justification will be documented prior to the start of the assessment.

02:59

So in summary today, we looked at the application. Security policy

03:01

is specifically the Web applications security policy and its requirements.

03:07

Web applications are subject to security assessments based on the following criteria, and this is our first application security policy. Recap question

03:16

and the answer is new or major application releases.

03:21

Third party are acquired. Web Application

03:23

Point Releases Patch releases, Emergency releases

03:28

All security issues that discovered during assessments must be

03:32

Nance. That one would be mitigated

03:38

in our next lecture. We're gonna look at a course recap. Since this was our last match module within this I t security policy training, we'll go over everything that was covered with in this training course.

03:50

Russians a clarification.