Instructor Travis DeBary Show bio Travis has over 20 years experience in Information Technology and Security, and a Master's degree in Information Systems.
Cite this lessonApplication security policies provide instructions to users that reinforce secure computing. These policies must be easy to learn, understand, and change. To ensure compliance with the policies, proper training, and ongoing education is necessary.
An application security policy defines the security controls that must be in place for any application that is going to be used by an organization. These applications can be purchased from third-party vendors or developed in-house. The overall objective is to ensure the application is not able to be used in such a way that the abuse can harm the organization, its employees or its customers. For the policy to be effective, it must be written in such a way that promotes attainable objectives, clear understanding, and opportunities for growth as organizational needs change.
In the case of application security policies, failure by users to adhere to a policy can mean security breaches, loss of reputation or big fines to the organization (even possible jail time for negligence). For this reason, an application security policy must be very succinct in its purpose and the entire policy must reinforce that purpose.
For example, an application security policy governing the proper use of an application may state that the application must lock out a user's account after unsuccessful login attempts. That's easy enough to understand and adhere to. However, what if part of the policy's purpose is to adhere to regulatory guidelines? If the application security policy doesn't reinforce following regulatory guidelines, decisions made from the policy could put an organization at risk if the application development team codes an account lockout after ten login attempts but regulations require five. The policy statement must mention that an application must lock out a user's account after a predetermined number of unsuccessful login attempts, as required by regulatory guidelines. This statement also identifies learning opportunities so the reader can better adhere to the policy.
A policy that can't be understood by its target audience doesn't do much good. One of the first rules of creating any policy is to 'know your audience.' Inherently, an application security policy will not always be easy to understand for typical users if that policy is meant to govern highly technical areas.
For example, some application security policies mandate computer code be formatted in a specific manner which requires high-level technical jargon. However, other application security policies discuss secure ways of using an application or what kind of application can be implemented by an organization. In these policies, it is vital that the reader understand the content. A policy statement that says, 'End users must follow code-generated constraints applicable to the computing environment' can be much easier to understand if written as 'End users will not knowingly bypass security controls of an application.' Generally, policies go through different reviewers at different levels of an organization so that the clarity of the policy is scrutinized sufficiently.
Application security policies need flexibility to grow with an organization. Application development processes can change over time due to business requirements or development method changes. For example, the business may want to change application releases from annually to quarterly. The policy must be able to incorporate this change across the entire policy.
It's not just development that will require application security policies to change. Information security has changed the way business is done throughout the world. In most cases, these changes must be incorporated across the business. Think about how much effort goes into your passwords. Just 10 years ago, eight-character passwords with just capital letter and a number were generally acceptable. Today, many organizations have gone to ten- to twelve-character passwords and many more degrees of complexity, such as special characters. These changes are all driven by security policies. When implementing an application security policy, these types of changes must be considered.
Policies are only as effective as the users who follow them. In some cases, hard controls can be implemented to ensure users follow the application security policies. Examples of this are systems that will not accept a password that doesn't meet length or complexity requirements, application development environments that only accept specific types of code, and computing environments that lock down users to only the resources they need.
Constant training is also required to keep users aware of policy requirements. Security awareness is paramount to the success of an application security policy, which should include some form of periodic bulletins that include different topics of the policy, what they are for, why they are important, and how one can adhere to them. These bulletins can be via email, posters, newsletters or other methods. Those responsible for implementing policy controls also need training. For example, developers could be sent to off-premise training classes held by third parties to learn about regulations, framework training (such as OWASP), and other topics that help them learn the importance of security and what is expected of them. Workers responsible for purchasing applications for business use should be trained on how to identify if the third-party vendor meets regulatory security compliance (such as Service Organization Control (SOC) documents).
Policies change, regulations change, and new employees regularly enter organizations. After creating an application security training for users, it is important to continue providing training for application security policies. One form of ongoing education is to train new employees about these policies as soon as they begin employment. This ensures the new employees understand their responsibilities.
Another form of ongoing training is to offer in-person classes led by subject matter experts. In some cases, depending on the importance, these classes are mandatory. Additionally, many regulating bodies require organizations to provide some form of security awareness training on an annual or periodic basis. Application security policies are typically a major part of this awareness due to the importance of adhering to them. In fact, it is so important that the regulating bodies often require organizations be able to prove that every employee attends the training!