Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
HP.com home

Transforming Your Enterprise Magazine

Spring 2008
» 

Large Enterprise Business

» Transforming Your Enterprise (Spring 2008)
» Download in PDF format

Past editions

» Winter 2008 Main Edition
» Winter 2008 Main Edition (PDF)
» Fall 2007 Main Edition (PDF)
» Spring 2007 Main Edition (PDF)
Content starts here

Built-in security for Web applications

Traditional add-on security for Web applications is no longer enough: in today’s security and regulatory climate, ‘baked-in’ protection is mandatory.

Built-in security for Web applicationsWeb applications have become the norm for organizations seeking to enable customers, partners and employees to do business anytime, anywhere. But in recent years they have also become a big security concern. Experts say the majority of attacks today are aimed at the application layer, as hackers seek to avoid firewalls and traditional security techniques. In today’s regulatory environment, these threats expose businesses to major financial and legal risk.

The cost is staggering. Experts suggest a single breach costs an average of $4.8 million, or $182 per lost record. And the average corporation—faced with the daunting task of protecting its information while at the same time opening up to partners, customers and employees—still doesn’t have measures in place to secure Web application vulnerabilities.

Caleb Sima is Chief Technology Officer and founder of SPI Dynamics, a firm recently acquired by HP for its ability to address Web application security. Sima started his career as a white-hat hacker, exposing the Web application vulnerabilities that inspired him to found SPI Dynamics.

“I found a method via the Web site, or Web application, that hackers could use to easily break into 100 percent of a company’s resources, because nobody was paying attention to security around that application," Sima says. "So I created a software product to automate the methodology I used for companies to identify security holes in Web applications.”

Security DNA

Sima says the most common exploits—attacks like SQL injection or cross-site scripting (XSS)—exploit the architecture that makes a Web site available and useful to the public. He advocates a lifecycle approach to application and security testing: applications built using secure coding practices, tested for vulnerabilities and continually monitored in production.


“Bake security into the application, don’t sprinkle it on top.” — Caleb Sima, Chief Technology Officer

“Bake security into the application, don’t sprinkle it on top,” Sima says. “The key is to not only discover security vulnerabilities, but to take a holistic approach to fixing and continuously preventing them.”

Sima says that traditional security tools are no longer enough. The volume of Internet-based attacks is pushing old strategies like firewalls and intrusion detection systems into obsolescence.

“Think about how useful your home alarm system would be if you were surrounded by 500,000 burglars all trying to break into your house at once,” he notes. “It’s useless when it goes off every minute. That’s the current state of intrusion detection.”

Exacerbating this dilemma is the number of “false positives” found by traditional security tools during application development and in production.

No more crying ‘wolf’

End2End VAS ApS, a European mobile content and information managed services provider, found traditional security testing tools wasted huge amounts of time when used for the stringent quality assurance and testing of the Content Retail Solution (CRS), which is the bedrock of its business.

“These tools would simply collect banner information and ‘shout’ vulnerabilities at us, simply because we were running Apache, or whatever application, as part of the project. Too many times, the vulnerabilities they ‘found’ just didn’t exist,” says Jes Beirholm, Director of Information Security at End2End.

Beirholm turned to HP WebInspect software to conduct its risk-based testing. “It’s a question of having tools that probe for the right things, and verify actual vulnerabilities in an intelligent way,” he says.

End2End has been able to stay ahead of potential security issues while discovering new efficiencies for development of Web applications. Now End2End can better communicate its security commitment to customers, in part by presenting WebInspect as a critical component of its risk-management process.

“WebInspect has given us the ability to go the extra mile with our security efforts. In the past we would have found potential security issues, but without the help of WebInspect we weren’t able to resolve such issues efficiently.”

Forward-thinking organizations like End2End now view Web applications as portals to corporate assets and proactively protect them by making security and hacker protection part of the functional and technical requirements.

Says Sima, “By taking a lifecycle approach to Web application security, organizations can free their security professionals from simply putting out fires, knowing their applications are designed from the ground up to protect the assets and information of their employees, partners and customers. This will lead to higher returns from e-business, greater customer satisfaction and an improved bottom line.”


Related links

»  HP Application Security Resource Library
»  HP WebInspect
»  Application Security
»

Table of contents

Introduction

» More than the sum

Strategies

» Improving global collaboration
» Moving to a more collaborative future

Experiences

» Collaboration supports refresh success
» Reducing risk in information storage
» Speeding response to support the business
» Improving the IT/business dynamic

Solutions

» Change management for the data center
» Future-proofing the data center
» Mastering modernization
» Making multi-core mean more

Technologies

» Built-in security for Web applications
» Turning insight into action
» For storage, virtual equals flexible
» Enterprise storage for any need
» iSCSI hits its stride

Health & Life Sciences

» Real-time health information environment
» Systematic approach to information exchange
» From transactional to strategic use of data
» Better information for better health outcomes
» Speed time from innovation to practice
» Shortening the cycle of clinical trials
» Identify savings in document output
» Access and capture data at the point of care
» Archiving to support growth and productivity
» Optimizing the pharma supply chain
» Feedback
Printable version
Privacy statement Using this site means you accept its terms
© 2011 Hewlett-Packard Development Company, L.P.