Energy Dept.'s security shop reinvents its job

Finds niche in Web service protection

Keeping on top of the latest security threats is a constant challenge for the Energy Department's fee-for-service Computer Incident Advisory Capability shop.

'If CIAC doesn't stay ahead of the curve, users won't need us,' senior security analyst John Dias said. But he doesn't see CIAC becoming obsolete anytime soon, because 'there's new technology emerging all the time' with new security flaws.

CIAC recently made a niche for itself in evaluating the security of agency Web services. It has tried tools such as ScanDo from Kavado Inc. of New York and WebInspect from SPI Dynamics Inc. of Atlanta to spot vulnerabilities that could be exploited for access to sensitive data behind the applications.

'These types of tools should be standard for anybody who is developing Web apps,' Dias said. As enterprises rely more on Web services, they are becoming a new chink in the armor, he said, because of the large databases at the back end.

'Statistically, that's where most of the successful intrusions come from,' Dias said.

But coding applications without vulnerabilities is a tough job. 'There are a lot of Energy sites with only static content' because their security record was poor, Dias said.

CIAC, located at Lawrence Livermore National Laboratory in Livermore, Calif., now scours the Web for vulnerability reports as well as providing penetration and vulnerability testing for Energy users. It charges other government customers on a fee-for-service basis.

The demand for traditional network security scans has been fading, Dias said.

'It didn't take everybody long to learn how to do their own scans,' he said. 'Some of the security people were getting pretty good. Our reports were getting smaller and smaller, because people got better at locking their machines and systems down.'

There are not yet a lot of automated hacks against Web applications, and the attacks tend to be customized. So far, there are few tools to evaluate application vulnerabilities, and analysts cannot provide consistent results.

'When we first saw ScanDo we couldn't believe it,' Dias said. 'Now we're able to do a really good assessment and give standardized reports.'

ScanDo is half of a suite of tools from Kavado. The other half, the InterDo Web application firewall, checks all traffic coming in and out of a Web server for prohibited or suspicious information. An AutoPolicy feature can set up blocking based on the vulnerabilities discovered in a scan.

Government is Kavado's second-largest vertical market, after the financial services industry, said Jon Greene, the company's marketing vice president.

New versions of the Kavado tools, released last month, are integrated for better identification of information such as Social Security or credit card numbers, whether they are being hacked or are legitimate parts of the application. A centralized database stores scanner results and firewall logs for forensic analysis as well as better protection against internal threats.

Responding to requests

'We had customers requesting that,' Greene said. The firewall does not allow any request to pass through to an application unless it has been approved by InterDo.

Dias said the latest version has 'a button that resets everything to the default, so if an analyst introduces a mistake, it doesn't have to become the baseline' for the next job.

CIAC originally offered its scanning service for already deployed applications, but demand for scanning during development quickly surfaced.

'Large organizations should use more than one scanner,' Dias said. 'No one tool is going to detect everything.'

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above