Web applications have quickly become the norm for organisations seeking to provide their customers, partners and employees with the opportunity to do business anytime and from anywhere. But in recent years those applications have also become a frequent source of security concern.
Most security breaches today happen due to vulnerabilities within the Web applications layer, as hackers seek to avoid firewalls and traditional, more stringent security techniques. In today’s intense regulatory environment, these vulnerabilities expose businesses to significant financial and legal risk.
Such risk, of course, presents a big problem. Faced with the daunting task of concurrently protecting its information while opening itself up to partners, customers and employees, the average corporation still doesn’t have the necessary mechanisms in place to secure against potential loss from Web application vulnerabilities.
The good guys always wear white
Enter Caleb Sima, chief technology officer and founder of SPI Dynamics, a firm recently acquired by HP for its ability to help solve the Web application security dilemma. Sima started his career as a white hat hacker, where he discovered Web application vulnerabilities that would become his impetus for developing SPI Dynamics.
“I found a method via the Web site, or Web application, that hackers could use to easily break into 100 percent of a company’s resources, because nobody was paying attention to security around that application,” he explains. “So I created a software product to automate the methodology I used for companies to identify security holes in Web applications.”
Sima says the most common exploits are attacks like SQL injection or cross-site scripting (XSS) and exist because of the architectural components needed to make a Web site available and useful to the public. But he has a solution. He advocates a lifecycle approach to application and security testing: applications built using secure coding practices, tested in QA for security vulnerabilities and continually monitored in production.
“Bake security into the application, don’t sprinkle it on top,” Sima says. “The key is to not only discover security vulnerabilities, but to take a holistic approach to fixing and continuously preventing them.”
Traditional security tools are no longer enough
Sima says that using traditional security tools, while successful in the past, is no longer adequate to guard organisation resources. The volume of Internet-based attacks being made on business today is pushing these old security methodologies, like firewalls and intrusion detection systems, to obsolescence.
“Think about how useful your home alarm system would be if you were surrounded by 500,000 burglars all trying to break into your house at once,” he notes. “It’s useless when it goes off every minute. That’s the current state of intrusion detection.”
Exacerbating this dilemma is the number of “false positives” found by traditional security tools during both application development and once software is in production.
A European-based mobile content and information managed services provider, End2End VAS ApS, found traditional tools for security testing wasted enormous amounts of time when used for stringent quality assurance and testing required for the Content Retail Solution (CRS) that acts as the bedrock of its business.
“These tools would simply collect banner information and ‘shout’ vulnerabilities at us, simply because we were running Apache, or whatever application, as part of the project. Too many times, the vulnerabilities they ‘found’ just didn’t exist,” says Jes Beirholm, director of information security at End2End.
Beirholm turned to HP WebInspect software to conduct its risk-based testing. “It’s a question of having tools that probe for the right things, and verify actual vulnerabilities in an intelligent way,” he says.
Incorporating security into quality management practices
According to Beirholm, End2End has been able to stay ahead of potential security issues while discovering newfound efficiencies for easier, more proactive development of its Web applications. It’s also helped End2End better communicate its commitment to security to its customers, in part, by presenting WebInspect as a critical component of its risk-management process.
“WebInspect has given us the ability to go the extra mile with our security efforts. In the past we would have found potential security issues, but without the help of WebInspect we weren’t able to resolve such issues efficiently.”
Forward-thinking organisations, like End2End, are now viewing their Web applications as portals to corporate assets. They are vigilantly and proactively guarding them against malicious attacks by making security and hacker protection part of the functional and technical requirements of their applications.
Sima concludes “By taking a lifecycle approach to Web application security, organisations can free their security professionals from simply putting out fires, knowing their applications are designed from the ground up to protect the assets and information of their employees, partners and customers. This will lead to higher returns from e-business, greater customer satisfaction and an improved bottom line.”
Related Links
» Web application architecture vulnerabilities: Is the functionality of your application secure?
» HP Application Security Resource Library
» HP Application Security Center
» HP WebInspect software
» HP QAInspect
|
 |
|
Printable version
