Network app security takes priority at Energy
- By William Jackson
- Jul 21, 2004
The Energy Department's Computer Incident Advisory Capability has seen security threats shift from simply denying Web service to attacking the department's IT resources.
'The platform is becoming less important,' said John Dias, senior security analyst at CIAC. 'For years, the low-hanging fruit for any hacker has been the Web infrastructure, but Energy sites have become more adept at locking down networks. About a year and a half ago I realized, 'It's the Web application, stupid.' '
So CIAC began offering its clients vulnerability assessments at the application layer, which is enormously more complicated because of the number of application and Web development platforms involved.
The office has a number of scanning tools in its arsenal, including the Internet Scanner from Internet Security Systems Inc. of Atlanta, the open-source Nessus scanner and ScanDo, a Web application scanner from KaVaDo Inc. of New York, which automates the job of finding security flaws.
ScanDo not only speeds up assessment and remediation, it also fits into CIAC's effort to standardize application vulnerability reporting with an Extensible Markup Language schema.
'What surprised me about the product was that it was XML-aware a year ago,' Dias said.
CIAC was established in 1989 to provide security services to Energy and the National Nuclear Security Administration.
'We do a lot of penetration testing and vulnerability assessment,' Dias said. Each Energy facility has its own security policies, and CIAC first scans its computers for configuration compliance before connecting to its network and receiving an IP address.
The office is currently using ScanDo to scan only 10 of more than 100 Energy Web sites. That number is low partly because the department has been wary of putting much functionality in its sites.
'At this point, Energy is very paranoid about security,' Dias said. 'Most of the sites don't have much active content because the security problems are so well-known. But the different sites do a lot of collaboration, and most of them have very sophisticated Web portals on the planning horizon.'
Web applications and services have become attractive hacker targets, said KaVaDo marketing vice president John Green. Network security has improved, so the applications that process data are a more direct route to the information hackers are after, he said.
Conceptually, vulnerability scanning is much the same for networks and applications. In practice, applications are the more complex area.
'You have to look at how the applications interact with the user on one side, and the database on the other,' KaVaDo technology director Ronen Valtzburg said.Exposed
Web services expose the internal network applications, rather than just exchanging data with them as conventional Web pages do. Trouble can come not only from poorly written code, but also from unexpected interactions that an attacker could manipulate. 'You could do something in a way the developer did not anticipate,' Ronen said.
ScanDo's architecture can scan any Web object a browser can handle, so it was XML-aware from the beginning.
'XML is the underlying exchange mode for the next generation of Web services,' Green said.
Although one of ScanDo's selling points is its automation, many users also want to tweak scans to look for specific conditions and to do more granular analysis.
The maturing market for application scanners has moved from early adoption into early mainstream, Green said.
'CIAC is ahead of the curve' in adapting the scanner for its specific needs, he said.
CIAC uses ScanDo in manual mode to troubleshoot specific problems and automates remediation with the policy development tool.
But, Dias said, 'ScanDo is not a silver bullet. We use it as a starting point to assess a Web application,' and then follow up with other tools to verify results.
Dias does not expect perfection from any application scanner. 'There is no way for a company to create the uber-scanning policy for what are, functionally, remote procedure calls,' he said. He wants to have input into how the product develops, however.
'We're interested in a partnership with KaVaDo to discuss what is going to happen' in both Web services and application scanning, Dias said.
Green said about 70 percent of the current ScanDo 2.0 features came from suggestions by customers such as CIAC.
William Jackson is freelance writer and the author of the CyberEye blog.