Developing Secure Applications

Security is everyone’s business, and everyone needs to collaborate and coordinate the requirements, tasks. This section can be used as a checklist for Application Developers, Database Administrator, and the office of CISO - Security Administrator.

Users may perform one or more roles (such as Application Developers, and Database Administrator).

Pre-requisites

The application developer, database administrator, security administrator have coordinated to exchange security-related information and artifacts. See Coordination. User can use this as a template checklist as a base form.

Checklists

The administrator or the developer needs to perform & verify the following tasks:
  1. Coordinate security details with Security team with respect to the cipher suite, bit strength, algorithm to use, and other features.
  2. Secure the Database
    1. Record the System user and password.
    2. Coordinate the Security encryption and decryption keys with the security administrator.
    3. Coordinate with the Database administrator, Business owner and Security to identify the fields that need to be secure, and its access policy.
  3. Securing the Server
    1. Secure the Net Listener on Server to listen on Secured Sockets for sensitive and confidential transmission.
    2. Consider Multi-tenancy to isolate/partition data for different Entities, when data security is needed, and resources have to be utilized efficiently.
    3. Consider Containerization when utmost security is needed i.e. Data partitioning and resource isolation.
  4. Client Applications
    1. Application developers should ensure they have the correct transport protocol and URL specified in the connection string.
    2. Using a password as plain text, consider using the obfuscation tool.

Once Database security is defined, it cannot be changed for the lifetime of the database. If you need to change it, export the database, then re-initialize the database with new keys, and reimport the data from the exported files.

The appendix A, and B provides template checklist form for user’s convenience.