In this, our final article in our series on the essentials of Application Security, we will be looking at Insufficient Transport Layer Protection. This occurs when an application has failed to properly encrypt network traffic, which means that confidentiality and overall integrity has been compromised. ITLP also covers the times when applications network level security is weakened; this can be because of flaws in algorithms, improper use of certificates and use of security certificates which have expired.
All of these factors will reduce the effectiveness of any Secure Sockets Layer (SSL) and Transport Layer Security (TLS) which you have put in place as a part of the application’s development.
If you are unfamiliar with either TLS or SSL then now is the time to acquaint yourself. TLS, and SSL before it, is used to add a layer of security to all traffic which has gone through an authentication process – i.e. when you have logged into a website or application, TLS will protect any data which is sent over the network for the duration of the session. SSL certificates are installed on the relevant servers and are in place to act as verification that the site or app to which the user is connecting is genuine.