Application Security Controls

In the preceding sections in this chapter, our discussion centers on system architectures and development processes. You may wonder how you can make software secure in the first place. We discuss several techniques, characteristics, and mechanisms in the following sections.

Process isolation

With process isolation, running processes aren’t allowed to view or modify memory and cache that’s assigned to another process. For instance, if a user can see that a payroll program is running on the system, he (or any tool that he uses) won’t be able to read the memory space used by the payroll program.

Process isolation is a service that’s provided by the operating system. Mac OS X, Microsoft Windows, and Linux — and even much older OSs, such as RSTS/E, Kronos, and TOPS-10 — perform and provide this function. The system developer doesn’t have to build a wall around his or her application because built-in process isolation prevents others from snooping on it.

Hardware segmentation

Hardware segmentation refers to the practice of isolating functions to separate hardware platforms as required to ensure the integrity and security of system functions. This concept can also refer to keeping developers’ resource-intensive work off the production system. This is used to reinforce the concepts of segregation of duties and least privilege (these concepts are defined in Chapter 10) by preventing developers from accessing production systems.

Hardware segmentation is used ...

Get CISSP For Dummies, 4th Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.