Can my network security team handle application security, too?
View Reader Feedback
Application security threats must be handled quite differently than traditional network security threats. Business applications are custom-built and are generally completely unique. Unlike network devices, applications are not exposed to public scrutiny, and security researchers have not created databases of security signatures for them. Without signatures, vulnerability scanners and intrusion detection systems are blind to the custom vulnerabilities in these applications. Finding and diagnosing these vulnerabilities requires a combination of application software expertise, security experience and knowledge of your company's business.
Most existing network security teams are ill-prepared to handle application security. Typically, these teams are trained to search for known network security issues and respond. Achieving application security requires the ability to search applications for issues that are unique and previously unknown. Team members must be able to read code with a deep understanding of how software architectures work. Also, responding to vulnerabilities generally involves the ability to change code and redeploy applications.
I agree that the network security people are ill equiped to protect attacks to applications. The protection needs to operate at the application layer, not only at the network layers. Code review is mandatory, but so should be application layer security, which can only be found in software packages.