Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How network security and application security are related

Network security is ever-changing and fast-paced, and many software developers may wonder what is necessary for them to know about network security, application security and programming languages to best protect their applications from hackers. In this expert response, John Overbaugh offers information on securing applications on all levels and suggests resources for more information.

I am new to network security and was wondering how the SQL language relates to network security, if at all. I figure...

you have to have a code in which to hack, right?

Allow me to welcome you to network security. I think you’ll find a fascinating career is ahead of you -- it’s ever-changing and fast-paced, to say the least.

A strict definition of network security would imply security at what’s traditionally considered a network layer in the OSI model. A slightly more liberal approach would say this is anything below the session layer (transport, network, data link and physical layer). Neither definition would include SQL language in the argument but that doesn’t mean you don’t need to be aware of both.

To have a secure application (SQL, Web, etc.), you need security at many layers. All companies need to protect the foundational layers -- the physical layers which transmit the 1’s and 0’s that make up modern communication. This is as basic as running network cables through conduit to prevent eavesdropping or interruptions. It also includes locking down physical hardware such as routers, switches and even the servers themselves. The primary goal here is availability -- ensuring the data links remain up at all times, with secondary goals of confidentiality and data integrity.

As you move up the OSI stack, you need to start thinking about the network and transport layers. These layers need to be protected and are typically protected via network architecture. Network architecture refers to the design and implementation of various network hardware -- routers, switches, intrusion detection/prevention devices, etc. These devices are deployed to ensure hackers do not succeed at breaking open or re-routing traffic through the network.

Encryption can happen at several layers, and your selection of encryption technologies will always depend on the network architecture, data you are protecting and overall network topology. Sometimes the most effective encryption will take place at the data link layer (VPNs, for instance), whereas other times, the better encryption takes place at the session layer (SSL).

However, even the most secure network doesn’t secure an application, and that’s where good development skills come in -- whether that’s HTML, Java Script or SQL. So once you’ve protected your network, you need to turn your attention to how your application is being developed. It’s ironic that many development teams say, “Sure we’re secure -- we do everything in SSL,” when in fact their site is a potential sieve simply because it’s been poorly written. Sites like this, while full of security features, lack secure features. This is where the hacking takes place -- injecting code into an application in order to compromise the application’s confidentiality, integrity or availability.

As I’m sure you’re figuring out, there’s a vast body of knowledge on this topic. My first recommendation would be for you to start reading up on the OSI model and on application security. OWASP has a wealth of useful documents and books, all available online for free, which can get you started. If you really want to gain skills and knowledge, I’d recommend you begin reading books and taking courses related to CISSP (Certified Information Systems Security Professional) certification. Even if you’re not able to be CISSP certified, you can benefit from the skills, earn your associate CISSP certification and gain the experience necessary to qualify for the full CISSP certification.

This was last published in February 2011

Dig Deeper on Internet Application Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close