It's 2 A.M. Who's accessing your applications?

Date:   Monday , May 31, 2004

With U.S. e-commerce retail sales ballooning to over $54B in 2003, overall e-commerce sales including B2B extending beyond a staggering $1 Trillion, and over 200 million Internet users, enterprises face a mammoth problem. How to secure the applications that are behind these web sites?

The Anti-Virus Era
Although application security is a relatively new issue, IT security tracks its history to the mid-Eighties. Organizations started focusing on other aspects of security in the early Eighties with the advent of anti-virus. After MS-DOS gained momentum, the first known virus, “Brain,” originated in Pakistan in 1986. Brain was a boot-sector virus and only infected 360K floppy disks. Between 1987 and 1989, a number of new viruses were discovered including the Lehigh virus from Lehigh University in the United States, Jerusalem virus from Hebrew University in Israel, and Ping Pong virus in University of Turin in Italy, among others.

Early Nineties saw a slew of new and more deadly viruses including Fish, Joshi, Flip, and Whale as the main ones. Vendors smelled the opportunity and many anti-virus solutions sprung up including McAfee, Norton, IBM, Iris, Certus, and others. In 1992, the Michelangelo, a polymorphic virus caused not a little bit of a havoc. With the proliferation of the Internet and e-mail came more malicious viruses including Melissa in 1999 which took advantage of the e-mail to propagate. Since then, we have had a number of other malicious viruses and worms including Klez, Loveletter, Code Red, Nimda, SQL Slammer, which circled the globe in 10 minutes, Nachi, and more recently the Sasser worm. Currently, there are over 60,000 known viruses and vendors are updating these constantly. Although it’s not foolproof, most enterprises have installed anti-virus software on most of their machines to protect themselves.

The Era of Network Security
In the early Eighties, organizations had limited networks and most of the security was taken care of with basic authentication mechanisms. Then came the Local Area Networks (LANs), which were controlled through remote authentication procedures. In the early to mid Nineties, with the increasing usage of the World Wide Web, enterprises had to open themselves to the outside world to connect to customers, partners, and vendors. This made companies vulnerable to attacks on the network from worms, viruses, and access of information by unauthorized users. Companies knew at that point they needed to secure their perimeter.
Network Firewalls were the first wave of perimeter security that helped control the traffic that flows in and out of the enterprise. After companies realized that some of the malicious traffic was still going through, a new technology called Intrusion Detection Systems (IDS) was introduced by some of the leading vendors. IDS monitor and malicious network traffic by comparing the traffic to a signature-based database. When it detects an attack signature, IDS appliance sends out an alert to the administrator. Due to many pitfalls of IDS including the amount of traffic to monitor, Intrusion Prevention Systems (IPS) have started becoming popular in the recent years. IPS boxes combine the functionality of firewall and IDS to not only monitor the traffic but also have the ability to drop the packets based on pre-set configurations. Network vulnerability management products have been fairly effective in scanning the network ports to find existing vulnerabilities. Most companies have dedicated a lot of resources and budget on securing their perimeter over the last few years and feel comfortable with the infrastructure.

Hey, what about Applications?
While companies were busy securing the desktop data files and the perimeter, hackers were coming through the open ports (port 80 and 443) which are meant to be open to do business with customers, partners, and vendors. This is like locking all the doors and windows but leaving the key under a transparent mat.

In the early days of application development, no one paid attention to security because it wasn't a problem. Applications were limited in nature and constrained to internal users. Most developers and Q.A. engineers focused on functional testing with some emphasis on performance testing. In the Nineties, as more enterprise-class Commercial-Off-The-Shelf (COTS) applications like CRM, ERP, and Supply-Chain Management became prevalent, enterprises put the pressure on vendors to build in security. However, the vendors were under the gun to get quicker releases out due to competitive dynamics. While some security features were built in, most were ignored.
Furthermore, for every commercial application deployed, a typical enterprise has anywhere from 10 to 100 or more custom web applications that are developed in-house, which have a lot of security defects with limited resources to address them.

Why is Application Security such a big issue?
With more and more business being done over the Internet, companies have to leave their web open to conduct business with third parties. Besides the e-commerce activities, web sites are also being used for massive information exchange between enterprises and consumers. The dilemma is that these are the same doors that the “bad guys” come through as well. Once they are in, they have a number of ways to exploit the vulnerabilities that exist in the applications behind these web sites. By inserting a few SQL commands, brute force attack to gain access using sophisticated programs, cookie poisoning, or modifying the user’s web page, these hackers can cause catastrophic damage to an organization.

According to the Gartner Group, over 75 percent of the attacks are happening through the web applications. With many hacking tools available freely on the Internet, even “script kiddies” (amateur hackers) can launch very sophisticated attacks easily (see the diagram below). Given that the cyber-terrorists (organized and politically motivated hackers) have access to a lot of funding, it’s scary to imagine the damage they can cause to our infrastructure and economy.

There are many solutions that exist for application security - not all of them are equally effective.

Line-by-line code review: Noble and well-intentioned but impractical due to millions of lines of code existing in hundreds of applications.

Source-code scanning: Many freeware tools (RATS, Flawfinder, Splint) exist to do the source-code scanning. These tools provide basic functionality to go through the raw code to find some of the security defects. The problem with these solutions is that they are limited to a few programming languages and do not address the various languages that surround a typical web application.

Application Firewall: Application firewall products (like NetContinuum and Teros) inspect the content of each packet coming through and compare it against the rules. If the rules are configured well into these products, these can be effective in blocking illegitimate traffic.

Vulnerability Scanning: There are a few tools (Sanctum, SpiDynamics, Kavado) that help scan the applications for vulnerabilities based on a signature database. The problem with these products is that they are limited to their signatures and cannot find design flaws, logic errors, or other errors that require understanding of the applications. These tools are also focused for the most part on commercial applications and on known vulnerabilities, therefore resulting in many false positives and fewer vulnerabilities found.

Extensible Vulnerability Management: Enterprise products like Cenzic’s Hailstorm can allow organizations to find vulnerabilities in not only commercial but also custom web applications by using policies from its pre-crafted policy library. The extensibility feature allows companies to write their own policies to find specific vulnerabilities, design flaws, logic errors, and also help in enforcing internal corporate security procedures. These policies, once written can be run against all the other applications, creating a network effect. These products can be run at any stage of the Software Development Lifecycle and integrated into Application Firewall and IDS/IPS products to provide a complete solution. Integration with tools like Mercury Interactive allows Q.A. professionals to do security testing early in the lifecycle, which can be as much as 100 times cheaper than catching errors in production.

By not putting security practices and tools in place to protect their applications, enterprises run a huge risk of : (1) Franchise Risk - Losing customers’ faith; (2) Non-compliance with regulatory standards like GLBA, SB 1386, Sarbanes-Oxley, HIPAA, and others; (3) Financial loss due to breach in security.

Although it’s good to have tools in place to catch anything in production, it needs to be complemented with addressing these issues proactively by putting in programs like vulnerability management. If you know that there’s a perfect storm brewing, wouldn’t you rather find the holes in the roof and try to patch them first rather than putting a bucket underneath to protect your floor?

Most analysts are predicting a major cyber attack whether it's by cyber-terrorists or “script kiddies” in the not- too-distant future. While many are talking about it, the savvy security and IT management are quickly moving forward with implementing some of the tools available to proactively secure their environment. For those who aren’t taking action now, can you afford to be the next victim?

Mandeep Khera is VP, Marketing of Cenzic, an applications security startup. Prior to joining Cenzic, Khera led product marketing and management for VeriSign's Managed Security Services product line, including vulnerability management, managed firewall, managed IDS, managed VPN, and other security services. He holds degrees from Harvard Business Schools and Northwestern University. When not fretting about security issues, he makes documentary films on the American Indian in the U.S.