In-Depth

Q&A: Targets Shift for Application Security Attacks

With attackers gunning for sensitive information, it’s time to rethink Web application code development or face the consequences.

• By Mathew Schwartz
• 09/13/2005

Today, many enterprise necessities—e-mail, human resources, customer lists, ERP—run in Web interfaces. Yet secure Web application development efforts lag, and attackers are increasingly gunning for sensitive information.

It’s time to rethink code development practices, or face the consequences, says Erik Caso, vice president of business development at NT OBJECTives, based in Irvine, Calif.

What processes can organizations put in place to help create more-secure Web applications?

Well, for example, for an e-commerce site, [you can] build reusable input validation libraries, just because they’re used quite a lot. So why write new ones all the time? Also, what if the new guy does it wrong, and doesn’t provide input validation?

So what we say is: protect yourself by having a vetted input validation form that works. Any time you need to input something, you have a form, and you know it works. [Yet] most companies don’t do this. …

Why don’t companies take this kind of modular, secure-code-development approach already?

The reasons are twofold: One is, with developers you just don’t see management coming down and saying the development team has to focus on secure development. Developers are always under the gun: they need a new shopping cart engine [for example] … and they have to get it done. Management doesn’t say, "We need that new shopping cart, and it better be 100 percent secure." That’s not how it works.

But there’s a more global problem. … What you’re seeing is people have done a really good job of securing the perimeter, the host, but they’re still getting hacked. … How is this happening? Well, [attackers] are not trying to go in and knock you down anymore. … Today, by and large, the vast majority of the hacking community is interested in using their skills to steal information and broker it … to make money.

How can organizations better defend themselves?

When you look at this loss of data, it generally happens in one of two ways: it’s either physical theft—someone steals a computer or a laptop—or it’s stolen out of the database, and the way you get to the database is through the Web site.

So the moral is to lock down physical security, and develop secure Web application code?

Yes, but generally in companies, the firewall is [presumed to cover application security]. Now [however] we have this other dynamic involved, and that’s developers, and they’re historically not trained in security. As much fun as we can make of Microsoft, the Trusted Computing Initiative is unique. They’re the only company out there that does spend a lot of time saying, "You need to develop secure software." Very few companies have that type of program. We have a few [customers] that do, and the benefits, when they then do audits with our technology, are amazing. … They come back with a relatively small number of fixes [to their in-development code].

Which kinds of companies actually have such programs?

[The] financial services [industry] is a leader, because [these companies] have so much to lose. … If you’re associated with financial services, you always have strong security programs—not perfect, but strong. Then, outside of financial services, it’s hit or miss. We have some technology companies that do better than financial services companies, but that’s rare. Manufacturing and retailing, they’re generally not as good. But it depends upon each company individually.

But these programs are tough. It’s not like “here’s what you need to do” and next year it’s implemented. … Companies spend a year or two getting it right, because you need to integrate these [things] into the development process, and that can take a while. For example, if you’re an eBay or Amazon, the next [site] revision might take a year.

Is compliance also driving improved Web application security?

Absolutely. People have a real big concern with compliance, whether it’s regulatory requirements for requiring a breach, or regulations like Gramm-Leach-Bliley, to make sure you’re not leaking information. I think the day is long come and gone when you used to have a specific client on your computer to look at something. Now if you look at all the companies out there—Oracle, Siebel, SAP, and so on—Web applications are a godsend for those types of companies, because they used to have to develop their own client-based applications, for all sorts of different operating systems. But now, everything is HTML. So really, when you look at it, everything is becoming application-based, and you have to ask, [what does that] mean for securing HR information or consumer information?

Will fallout from recent data theft attacks push more-secure Web applications?

Well, when you see someone like CardSystems getting shut down by Visa, that essentially [may] put that company out of business. A lot of companies are terrified now—they would never have expected that to happen. Normally they get fined $1 million, they don’t get put out of business. Now we’ve got the Specter-Leahy bill, and if that goes through, CEOs are going to jail over this. Whereas before it was just a matter of "how much do I need to [later] spend on this to fix it?"

Related Articles:

Regulations, Fear Driving More-Secure Code Development
http://www.esj.com/Security/article.aspx?EditorialsID=1484

Case Study: Virtual Patches Defend Web Applications
http://www.esj.com/security/article.aspx?EditorialsID=1273