• HOME
• COMPANY
  • About Aspect
  • Customers
  • Management
  • Careers
  • Contact Us
• SERVICES
  • About Aspect’s Services
  • Assurance Services
    for your application security verifications
  • Acceleration Services
    for your application security initiatives
  • Education and Training
• NEWS
  • Events
  • Press Releases
  • News
• RESOURCES
  • OWASP
  • White Papers
  • Case Studies

 

Application Security Initiatives - The Best Defense Is a Good Offense

Jeff Williams, CEO, Aspect Security
December 2005

Introduction

Today, every business function relies on custom software applications. These applications are typically built under tremendous time pressures by internal or contracted developers to fulfill a specific business need. Organizations need to be able to trust that this software has appropriate security mechanisms to thwart attacks and that the code does not contain vulnerabilities. Even software product companies have an extremely difficult time achieving trustworthy code, and experience shows that most custom applications have far more vulnerabilities. Recent market trends show a clear pattern – organizations need an Application Security Initiative in order to achieve this level of trust in their custom-built applications.

Trend #1 – Attackers have changed their focus to the application layer

The SANS Institute, an independent research group, recently noted that “a large component of the cyberthreat shifted in 2005…hackers are now targeting applications.” Gartner found that 70% of attacks are at the application level, and the FBI reports that this rate has increased 80% in the last year. In a recent example, an application used by Janus Mutual Funds to enable online proxy voting contained a flaw that allowed an attacker to vote other people’s shares. This flaw was widely publicized, called the votes into question, and undermined confidence in the company’s management. Other companies have disclosed their users’ credit card numbers, lost people’s social security numbers, and suffered fraudulent transactions.

Trend #2 – Application security threats require a different approach than network threats

Application security threats must be handled quite differently than traditional network security threats. Business applications are custom-built and are generally completely unique. Unlike network devices, applications are not exposed to public scrutiny, and security researchers have not created databases of security signatures for them. Without signatures, vulnerability scanners and intrusion detection systems are blind to the custom vulnerabilities in these applications. Finding and diagnosing these vulnerabilities requires a combination of application software expertise, security experience, and knowledge of your company’s business.

Most existing network security teams are ill-prepared to handle application security. Typically, these teams are trained to search for known network security issues and respond. Achieving application security requires the ability to search applications for issues that are unique and previously unknown. Team members must be able to read code with a deep understanding of how software architectures work. Also, responding to vulnerabilities generally involves the ability to change code and redeploy applications.

Trend #3 – Application vulnerabilities stem from root causes in the organization

Every application security vulnerability is the result of some error during the development of the application. These errors can be organized into three key areas: insufficient processes or practices, inadequate skills or teams, and incomplete supporting technology. Note that while application security technologies are critical to an organization’s application security efforts, they must be paired with the right set of team and process improvements.

The most common issues in the process area are the failure to define clear and detailed security requirements, lack of threat modeling activities, and failure to perform security testing and analysis. In the skills and team area, many developers have not been trained in secure coding, and very few organizations have created an application security team to support development projects. Finally, organizations need supporting tools and technologies to identify and diagnose vulnerabilities as well as standard libraries that implement security functions.

Trend #4 – Application Security Initiatives are producing results

Many organizations have started an Application Security Initiative to improve their ability to produce secure code. These programs involve training, team-building, software lifecycle process improvements, and technology to support securing applications. Several vendors, including Microsoft, Oracle, RedHat, and Compuware have publicly committed to these initiatives. Product vendors are now starting to report the benefits of these initiatives. Microsoft, for example, has noted a 60% drop in application security issues on projects where their secure development lifecycle is followed.

Many private companies have also started such efforts. Several have saved development costs and protected their reputation by identifying application security issues early in their software development lifecycle. Many smaller companies are also starting to recognize the business necessity of being able to produce trustworthy software. Soon, one can predict that all organizations producing software will be expected to have an Application Secuity Initiative in place.

Trend #5 – Many sectors already require secure applications

The government has recognized the serious risk associated with insecure applications. Under FISMA, each federal agency must develop, document, and implement an agency-wide program to provide information security for all of its information systems by 2006. The certification process now includes rigorous application security requirements, including authentication, access control, input validation, and error handling.

The private sector has been hit hard by applications security issues, resulting in widespread distrust of online applications. The FTC has adopted the OWASP Top Ten, a widely recognized list of critical application security concerns, and penalized companies like Guess Jeans and PETCO who fielded insecure applications. The credit card industry, in particular, has suffered many high profile application security attacks. In response, VISA, MasterCard, and American Express have joined forces to create the PCI Standard. The PCI requires that all applications processing credit cards must be compliant with the entire OWASP Top Ten.

Conclusions

Whether motivated by compliance, due diligence, or risk management, the need for businesses to address application security vulnerabilities has arrived and soon will become an absolute necessity. Eliminating these vulnerabilities at their sources dramatically reduces costs, both in terms of business impacts and lifecycle costs.

Application security issues are rooted in shortcomings with processes, practices, techniques, tools, developers, and maintenance personnel. Establishing an Application Security Initiative allows organizations to adapt and expand their current approaches with applications to address security and effectively manage application security risks. Organizations make significant investments in their unique software methods, structures, and culture. Therefore, to be effective, Application Security Initiatives must be tailored to a specific organization so that any enhancements are readily adoptable by the organization and its personnel.

The market is now demanding trustworthy software, and starting an Application Security Initiative is the most effective way to meet this demand.