04/03/2009 by Serge Baumberger
Security is especially important in online applications, yet far too little attention is paid to it. Perform a quick risk assessment just prior to implementation, jerry-rig a plug for the biggest holes, and you’ll have the software up and running in no time. Then a few days later, the first bytes of customer data are stolen. Does it have to happen this way?
In an incredibly short time, online security risks have become the primary risk for businesses. One reason is that nowadays business-critical applications have to be accessible online at any time to customers, partners, and internal users. Continuous availability opens the floodgates for friend and foe. Interactive contents exacerbate the whole thing. Statistics show that hackers don’t have to be asked twice to do what they do. Currently, one of the favorite modes of attack is cross site scripting (XSS). For example, a hacker tries to manipulate a web application in such a manner that damaging script code is embedded in the displayed page (e.g., in a guest book or an auction site page). The browser processes this actually trustable website including the harmful code and thereby sends the current login information back to the hacker. Even though companies take security absolutely seriously, reports regarding successful attacks are a daily occurrence. What’s happening here?
Fig. 1: Quality vs. Security
FINALLY RETHINKING THE SITUATION
The lion’s share of an IT security budget is invested in network security, e.g., for firewalls and intrusion detection systems, even though according to Gartner , 75 percent of the hacker attacks take place directly via the application and not the networks. To spend money specifically on where the greatest danger lurks requires rethinking the situation. Ideally, pains are taken in software development to ensure that no security loopholes even exist or to remedy these immediately. Those who are late with their testing are wasting money. However, the problem isn’t that easy to fix because the software is geared to preferably provide what is described in the functional specifications. As a result, checks are performed on what the applications are supposed to do, but not on what they are not supposed to be able to do. Developers with expertise in the field of secure development are a rare breed. Testing also has to be tailored to the new requirements. Unfortunately, one rarely sees a penetration test as part of a test concept. Likewise, the skills profile of a tester who is supposed to verify the functionality is different than that of a security tester. While one is looking for things that don’t work, the other should be looking for the undesired functionalities that allow too much to take place – in other words, we’re talking about real detective work.
Making online applications secure requires specific measures:
1. Implementing security rules, guidelines, and regulations
2. Creating security requirements and attack scenarios
3. Performing specific security architecture reviews
4. Developing and complying with secure coding guidelines
a) White box penetration test
b) Grey box penetration tests
c) Black box penetration tests
6. Monitoring operating systems continuously
7. Making assessments and feedback loops part of the first step
Fig. 2: Toolbox for actual implementation measures
ACUTE NEED FOR ACTION
In Switzerland, the secure programming and performance of penetration tests are still in their infancy. There most certainly is a need to make application more secure and to include the entire software development cycle when creating secure applications. By implementing the solution approaches above, one can gradually increase the application security’s maturity. However, it takes considerable amount of time and money in the short term because systematic training of the test and development units is necessary. In any event, setting up one’s own security testing squad does make sense.
Once the activities are defined, they can be accelerated. Large-scale software manufacturers such as HP or IBM have recently shored up their capabilities in regard to security testing of web applications through targeted acquisitions. Certain fields of use may also have corresponding open source solutions. IBM, like HP, offers security-related tools that support an application’s entire lifecycle from its creation to its replacement:
- Code is checked for security while being entered
- Solution recommendations and links appear if requested
- Automated security tests check web applications and services for flaws
- Any discovered flaws are saved with the corresponding priority depending on the security risk and assigned to the responsible developer
For security experts:
- A 24/7 solution combs through complete web applications looking for security loopholes
- Automatic verification pertaining to legal, company internal, and regulatory provisions
The tools described are becoming better and better. Experts scan the Internet daily for new risks. As for anti-virus solutions, the tools are kept current with new signatures and detection patterns by means of updates.
Targeted investments are necessary. Regardless of the maturity level an organization has reached, there is always room for improvement. The investment is certainly worthwhile because besides financial losses, a company’s image is also at stake.