June | 2021

The Application Security framework is the first steps towards a “Building It Right” strategy coupled with “Continuous Monitoring”.
Application Security Framework

Module Name

Description

Strategic and Enterprise level (Tier 1)

Provides a high-level architectural definition to describe logical areas to security testing services and capabilities that involve maintenance development/activities, mergers and acquisitions, or compliance to regulatory requirements and domestic and/or international legislation. This involves enterprise wide testing efforts to measure the security posture of applications and infrastructure at a point in time and provide support to strategic initiatives/roll-outs and security direction. For example, the IDAM program to enable BYOD (e.g. MDM products) in multiple business functions that reflect potential organization changes. Results from penetration testing would identify the security posture change of the modified component, which would be compared to the existing security posture in order to determine the effects of such changes.

Business and Process level (Tier 2)

Provides the architectural basis to define business specific, security testing service and capability that involves ongoing development activities for Operational Systems (MyWipro, HR, Finances, etc.), and vendor solutions supporting daily operations, business and support functions. This involves business wide testing efforts to measure the security posture of application and infrastructure supporting business functions, suppliers supporting the respective business processes on a periodic and on going basis. For example,

security testing will be conducted on a regular basis on various infrastructure and applications supporting Wipro business functions such as the MyWipro portal. The testing will be unannounced and will be used to determine the security health of the fleet. The supplier/support function is then required to remediate any identified issues in the set timeframes. IRMC will track remediation activities after testing has occurred.

Tactical , Solution and Project level (Tier 3)

Provides the architectural definition to define project and technology security testing service and capability that involves new development/maintenance activities for Wipro external/internal customer projects or compliance to regulatory requirements as per the business rule book definition for the end customer. This involves supporting security testing for Wipro’s internal/external customer operating from Wipro’s ODC setups to identify security vulnerabilities in new or existing applications and infrastructure before changes are released into the production environment. For example, a Wipro external customer project team wants to deploy an internet facing system enhancement or application. Before the project goes “live”, security testing will be undertaken to identify any potential security exposures, and remediated thereafter before deployment into production.

 

About the author (s)

Related Articles