Protecting Web applications is especially important for financial firms that may have online banking or trading capabilities. In this video, Warren Axelrod explains best practices for creating and maintaining secure Web applications.
Watch part one: Outsourcing and cloud computing for financial services firms.
About the speaker:
C. Warren Axelrod is a financial services IT and security veteran and author.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact email@example.com.
Web application security for financial services firms
Marcia Savage: Hi, I'm Marcia Savage with SearchFinancialSecurity.com.
We're here today with C. Warren Axelrod. He's a financial
services IT and Security veteran serving more than 25
years as a Senior IT Manager on Wall Street. He's also
written three books including "Outsourcing Information
Security". Thanks for joining us today, Warren.
C. Warren Axelrod: Happy to be here. Thank you.
Marcia Savage: Now, web application security, I know, is
another area of focus for you. Are financial institutions paying
enough attention to web application security?
Warren: I think there is a lot of increased interest. The
problems with applications security stem from the tradition
of how information security evolved. And mostly came out
of operational areas, technical people that were engineers
and so forth because those were the early requirements for
security. And very few security professionals have
backgrounds in application developments and testing.
Now, the supposition is that something like 70, 80% of all
attacks are at the application layer. So if the industry is
spending most of its resources on the remaining 30% and
only a little bit on the 70% and that's just a number I would
be at, then there's a mismatch. But I think what's happening
with organizations such as OS, they're doing a terrific job and
they have membership easily into the five figures and there's a
much more rapidly growing interest and that's a good sign. But
it's going to take time. You need the expertise, it has to build
and I see it building, but it's nowhere near the requirements.
Marcia Savage: What are the major security mistakes that they
make in their web application development?
C. Warren Axelrod: In the development itself, the keys to
success rather than the mistakes, adequate training and as I
said there is a lack of knowledge by security professionals
on the application side, a lack of understanding, the developers
understanding security. So you have both sides. It's very
important to have a good training program and these are
coming to the fore, and to have a process, a well defined
process to include security considerations at every step of the
development life cycle. And that's happening but it has a way to
And then, one of the things that I've seen and gives some
measure of concern is that applications are not like really
hardware and other kinds of devices. Applications sit within an
environment. They sit on an operating system, they sit within a
context within a network and they are only secure as those
environments, as the context. So, for example, and the
requirement is only as great as that environment needs. So if
you had an internal application on a dedicated network, the
security requirements are much less than taking that same
application, putting it into a web facing environment, where
the whole world can get at it.
So people have to understand that you can't look at an application
in isolation and say yes, I would say that's very secure. I would say
yes, how are you going to use it and in what context and how critical
is it and so forth. And I think that is developing. I see it happening but
it's a long way to go, and I think that, as I said, progress is being made
but you have to build up the expertise, you have to build up the
understanding. And there's a lot of interest in doing it. There is a
lot of recognition to make it better.
Marcia Savage: This has been really interesting today, Warren.
Thanks so much for joining us.
C. Warren Axelrod: My pleasure. Thank you.
Marcia Savage: And thank you for joining us. For more information
on these topics, please visit SearchFinancialSecurity.com