“Bake security into the application, don’t sprinkle it on top,” Sima says. “The key is to not only discover security vulnerabilities, but to take a holistic approach to fixing and continuously preventing them.”
Sima says that traditional security tools are no longer enough. The volume of Internet-based attacks is pushing old strategies like firewalls and intrusion detection systems into obsolescence.
“Think about how useful your home alarm system would be if you were surrounded by 500,000 burglars all trying to break into your house at once,” he notes. “It’s useless when it goes off every minute. That’s the current state of intrusion detection.”
Exacerbating this dilemma is the number of “false positives” found by traditional security tools during application development and in production.
No more crying ‘wolf’
End2End VAS ApS, a European mobile content and information managed services provider, found traditional security testing tools wasted huge amounts of time when used for the stringent quality assurance and testing of the Content Retail Solution (CRS), which is the bedrock of its business.
“These tools would simply collect banner information and ‘shout’ vulnerabilities at us, simply because we were running Apache, or whatever application, as part of the project. Too many times, the vulnerabilities they ‘found’ just didn’t exist,” says Jes Beirholm, Director of Information Security at End2End.
Beirholm turned to HP WebInspect software to conduct its risk-based testing. “It’s a question of having tools that probe for the right things, and verify actual vulnerabilities in an intelligent way,” he says.
End2End has been able to stay ahead of potential security issues while discovering new efficiencies for development of Web applications. Now End2End can better communicate its security commitment to customers, in part by presenting WebInspect as a critical component of its risk-management process.
“WebInspect has given us the ability to go the extra mile with our security efforts. In the past we would have found potential security issues, but without the help of WebInspect we weren’t able to resolve such issues efficiently.”
Forward-thinking organizations like End2End now view Web applications as portals to corporate assets and proactively protect them by making security and hacker protection part of the functional and technical requirements.
Says Sima, “By taking a lifecycle approach to Web application security, organizations can free their security professionals from simply putting out fires, knowing their applications are designed from the ground up to protect the assets and information of their employees, partners and customers. This will lead to higher returns from e-business, greater customer satisfaction and an improved bottom line.”