Home » Data Protection » Application Security

Decoding Web Application Security

Today's Web-connected applications need more than just firewalls. Application-security gateways can't grow up fast enough.

May 01, 2004 — CSO — Ah, the Web. It has generally made business easier and cheaper, but specifically made information security harder and more expensive. Companies in all sorts of industries are rushing to create Web-accessible applications so that their customers can more easily get at data or manage their own accounts. Alas, these new systems draw along in their wake a bevy of new, application-specific attacks.

And so application security is a top-of-mind issue for CISOs. Consider the case of Depository Trust & Clearing Corp. (DTCC), which provides clearance, settlement and information services for a variety of financial-services transactions. Its Web applications include a service called Domestic Tax Reporting Service, which accumulates year-end tax information on various investment types in a centralized database. Customers log in to double-check their tax reporting. Not the kind of application a company wants hackers rifling through. So in addition to the usual stable of firewalls, DTCC is using application-security gateways from Teros to protect against common application-level attacks such as buffer overflows and SQL injection—both of which involve a hacker tricking the host system into executing unwanted commands. DTCC has been testing the Teros product (which costs about $25,000) since September 2003, and DTCC CISO Paul de Graaff is sufficiently pleased with the results to plan installing more devices this year. Eventually DTCC will use the gateways to protect transaction-based and consumer Web applications, both customized and off-the-shelf.

"Application security has become my number-one priority," says de Graaff.

CISOs' number-one priority, of course, usually becomes security vendors' number-one market opportunity. Security product purveyors are responding, launching products specifically designed to provide application-level security that traditional firewalls don't deliver. CSOs and CISOs report some early successes with application-security efforts, but also a number of important reasons to consider treading lightly as application-security products and processes mature.Application Security Holes: Your Buffer OverflowethUnlike certain worms and viruses that exploit network security weaknesses, Web application attacks go after flaws in the applications themselves. For example, an intruder could tamper with part of an HTTP request and use buffer overflows to corrupt a Web application by having it execute arbitrary code. In this way, the attacker could in effect take control of a Web or application server.

There are several approaches to preventing this kind of attack. One is code inspection: trying to secure your homegrown applications by more carefully examining your source code, looking for common coding errors and vulnerabilities. (For more on this approach, read Tools for Secure Application Coding) Another approach is scanning your Web applications from the outside—as an actual attacker might. This is most commonly done by an outside provider, often under the heading of vulnerability assessment. Application-security gateways, such as those DTCC is deploying, are a third approach. Gateways scan incoming network traffic in greater detail than does the conventional perimeter firewall. Typically, a firewall lets HTTP requests pass through—HTTP being the standard protocol for transmitting webpages. An application-security gateway, however, can be set to sift through the HTTP data stream, looking for SQL code embedded in places where it shouldn't be. (If a Web application includes a field for customers to fill in their password or address, and instead the "customer" types in a long string of nonsense with embedded SQL commands, that's a pretty reliable sign that there's malice afoot.)