Hello and welcome back to I t Security policy here on Sire Eri.
We're gonna start out Module five applications security policy
with myself, Troy Lemaire
The learning objective of this one is looking at the requirements of the application
Pacific and we're gonna look at web application policy. It is the only
policy that is within this module.
So if we look at the way of application security policy at the Sands template that's provided
Web application vulnerabilities account for the Lord's portion of attack vectors outside of malware.
Purpose of the policy is to define Web application security assessments within the company.
Web application assessments are performed to identify potential are realized weaknesses as a result of inadvertent Miss Configuration
insufficient error handling,
sensitive information leakage, et cetera.
Discovery and subsequent mitigation of these issues will limit the tax surface of the camp.
But before we get into the scope of this policy, if you look at Web applications, those are built on different types of server systems in the U. S. Is there built on different type with different types of languages. And so those are the ones that have multiple weaknesses that come out and what hackers look at to try to break into the most.
systems, where the operating system is totally available to the outside world as an example, is pretty much hardened down by the system of the operating system providers, where the applications are something that is done by the actual programmers. And if they're not using good type of programming, they could
created weakness within your organization.
So the scope the policy covers all Web applications. Security assessments requested by any individual or group or department for the purpose of maintaining the security posture, declines, the risk management and the change control of technologies in use at the company.
All Web applications security assessments will be performed by delegated security personnel either employed or contract it by the company.
No findings. They're considered confident going to be distributed to persons on a need to know basis and the reason wise. If you do have a security assessment, you don't want that made available to everybody because they're now you're taking the information that is your weakness within your organization and submitting it to people that don't need to know that and could use it in some way to affect your organization.
The last paragraph Any relationships with multi tiered applications found during the scoping phase will be included in the assessment, unless explicitly limited
limitations and subsequent justification will be documented prior to the start of the assessment.
So in summary today, we looked at the application. Security policy
is specifically the Web applications security policy and its requirements.
Web applications are subject to security assessments based on the following criteria, and this is our first application security policy. Recap question
and the answer is new or major application releases.
Third party are acquired. Web Application
Point Releases Patch releases, Emergency releases
All security issues that discovered during assessments must be
Nance. That one would be mitigated
in our next lecture. We're gonna look at a course recap. Since this was our last match module within this I t security policy training, we'll go over everything that was covered with in this training course.
Russians a clarification.
It's a very message me user name at Troy Lemaire and thank you for attending the cyber retraining