Tools for application-level security can help you cope with the threats from without and within
- By J.B. Miles
- Jul 06, 2006
Spam. Spyware. Phishing. Trojans. Worms. Day Zero viruses. Denial of service. Cyberattack. Spooks. Hackers. Identity thieves.
Not long ago, these words might have been found only in a comic-book fantasy. But they're now all too real and familiar'and they are costing American taxpayers and businesses billions of dollars annually.
Web application security attacks are becoming especially prevalent as individual consumers and organizations depend more and more on Internet services for conducting businesses ranging from online shopping to billion-dollar electronic fund transfers.
Incidences of electronic identity theft have become so commonplace that they barely make the news unless thousands of individuals are involved.
As Web applications grow in size and complexity, so too do the number and severity of the attacks against them. During an 18-month period several years ago, the rate of documented Web application attacks increased by nearly 82 percent, according to a Symantec Corp. report on Internet security threats.
These attacks included repeated intrusion attempts, abuse of application business logic, unauthorized data manipulation through such techniques as Structured Query Language injection and parameter tampering, user session hijacking and credential theft, and denial-of-service attacks.
According to IPLocks Inc. of San Jose, Calif., a developer of integrated database security programs, most modern security tools'firewalls, intrusion detection, virus protection and so on'are designed to keep people and programs out of the network.
But the company also cites a joint survey by the Computer Security Institute and the FBI indicating that trusted employees commit a whopping 78 percent of information theft. These employees' jobs require access to the primary information repositories'the databases. Thus, a database is faced with a potential double whammy'attacks by hackers from without and employees from within.
In attempts to manage compound threats to their security, many organizations today try to cobble various security measures such as firewalls, data encryption programs, anti-spam and antivirus programs, and user authentication together into a security umbrella that overarches their entire network and application infrastructures.
Sadly, while these security components might provide temporary protection against attacks the organization currently faces, there is no guarantee they will be able to hold the line against coordinated attacks that can occur a month, a day or even five minutes from now.
This is because most standalone security measures come with serious flaws. For example, firewalls alone cannot detect and stop the new classes of threats now being directed at applications and databases. Another widely deployed tool, intrusion detection systems, perform only passive monitoring and after-the-fact forensics rather than preventing attacks, according to a white paper by Application Security Inc. of New York.
A report from the Gartner Group of Framingham, Mass., flatly states that 'most organizations have learned that perimeter firewalls, antivirus software and intrusion detection systems are not enough to protect them from cyberattack. Attacks have moved to the application level, circumventing network-based firewalls. Worms propagate so quickly that signature-based antivirus protection is useless. Intrusion detection systems do not provide protection, only faster notification that your system has failed.'Toward a new security model
Given these dismal prognostications, what is the enterprise IT director to do?
The Yankee Group of Boston sees great promise in a new category of integrated security tools called integrated application assurance platforms. Yankee Group analysts believe these will eventually provide broad security coverage of the entire application 'stack,' including Web servers, databases and Web services.
Web application firewalls, as they exist today, will likely disappear by 2008, as these new platforms move into the market and provide new and higher levels of application scalability, performance management and availability features, according to a Yankee Group white paper.
The new platforms will combine the Web application firewall, database security, Extensible Markup Language security gateway and application traffic management segments.
The Yankee Group report concludes that enterprises need to continue enforcing policies for exclusion (preventing break-ins, denial-of-service and the exploitation of vulnerabilities'all features now managed by the latest Web application servers). However, they also need better solutions for addressing inclusive, operations-focused concerns such as availability, authentication, authorization, auditing and encryption.
As promising as these new application assurance platforms appear to be, most experts agree that they are still in their infancy.
Herbert Thompson, chairman of the Application Security Industry Consortium (www.appsic.org), said the impact of disclosure legislation such as California Senate Bill 1386, and new standards and laws such as the Sarbanes-Oxley Act of 2002, Health Insurance Portability and Accountability Act and others will help application security measures grow from infancy to adolescence.
But he added that the most important factor in the growth of new security paradigms may well be heightened expectations among customers.
'Enterprise customers are starting to ask questions about the security processes of potential vendors, and those answers are having a big impact on purchase decisions,' Thompson said.
To move application security from infancy to adolescence, Thompson said security has to be integrated through the software development lifecycle from requirements all the way to deployment and not be treated as something to be bolted onto the process.
He also pointed to the need for metrics around the software security design process.
'Its hard to make security a key factor in development processes and purchase decisions if it can't be assessed in some meaningful way,' he concluded.
Until application security technology finally 'grows up,' what are the alternatives for IT departments needing to protect their mission-critical applications and data from mischievous or criminal hacking by outsiders, or downright theft on the part of trusted insiders?The roundup
All the 45 programs listed in the accompanying guide, selected from hundreds of possibilities, will provide application protection with various degrees of sophistication and effectiveness, depending on the requirements of your organization.
An entire industry subset has developed around the problems caused by malware and malicious code. Typical software programs designed to combat these nightmares have employed the use of 'blacklisting''the listing of particular entities, such as domain names, e-mail addresses or viruses that are denied access to the infrastructure because they are considered dangerous. Some advanced antivirus programs employ heuristics'the application of experience-derived knowledge (such as commonly used text phrases, transmissions or content patterns) to block unwanted transmissions.
Anti Executable 2.0 from Faronics Technologies USA of San Ramon, Calif., employs a 'whitelist' solution that is the exact opposite of a blacklist solution but with slightly better results, according to Faronics. For example, a whitelist of domain names is a list of URLs authorized to be displayed, despite any rules of an e-mail spam blocker program.
With whitelists, no virus or spyware definitions are needed; therefore, systems are always protected from day-zero virus attacks. Constant scanning of incoming and outgoing IP traffic is unnecessary, so system performance doesn't suffer.
Spyware is another huge security problem for both enterprise and individual PC users. According to a recent survey by the National Cyber Security Alliance and America Online, 80 percent of home computers tested were infected with some 93 different types of spyware. While many home and office PCs are protected with antivirus and anti-spam software, the need for anti-spyware protection is often overlooked.
A single spyware application could gather private or personal information; steal copyrighted or confidential information such as passwords, bank account details, Social Security numbers, personal or business correspondence and credit card information; create system instability; damage or interfere with legitimate applications operation; or allow a spyware operator to take over an infected system.
Such programs as Spyware Firewall 1.0 from Barracuda Networks Inc. of Mountain View, Calif., are specifically designed to avoid those pitfalls.Many threats
Phishing attacks are becoming increasingly common, but are only a small part of the overall threat defined as identity fraud.
The evolution of Internet-based services has led to the widespread use of reusable passwords, the main source of the identity problem.
Programs such as Forum Systems of Waltham, Mass.' ForumXWall 1.0 and PortWise 4.5 from PortWise Inc. of Mountain View, Calif., are intended to provide new levels of authenticated password protection, shielding enterprise and individual users from phishing attacks and identity theft.
A new class of security software deals with real-time database auditing and vulnerability auditing, and is designed to protect mission-critical enterprise information against compromise.J.B. Miles writes from Honomu, Hawaii. E-mail him at [email protected].