Industry View

Eyeballing the Security of Application Service Providers

Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, gives advice on vetting Application Service Providers to ensure security for your business

By Jeremiah Grossman

Page 2

1) Platform Security

All secure systems need to be built on a solid foundation. In the case of web application security, the foundation is the operating system, web server, and perimeter firewall. These three components must be properly configured and use the latest and greatest stable releases. Patches also need to be diligently maintained to lock out hackers, worms and viruses.

Questions and Good Answers

How do you secure the network, host operating system and Web server?
We use a recent version of (insert operating system), a hardened security configuration, and patches are diligently applied. The network topology is segmented to support a DMZ and an internal private network using non-routable IP Addresses. Installed software packages are kept strict and limited. Any non-essential network listening services are disabled. Only authorized company employees can remotely connect to and administrate the servers over encrypted link (SSHv2, VPN, Two-Factor Authentication, etc).

*Bonus points for file integrity checking, host-based firewalls, and enforcing strong SSLv3

What security system configuration standards do you follow?
For both operating systems and web servers, we follow a corporate standard configuration policy. We run automated baseline analysis across the network on a routine basis looking for any out of compliance configurations. For the web servers we use industry 'best practice' standards for configuration including suppression of error messages, Denial of Service protection, and OS permission restrictions.

*Bonus points if they reference an industry standard such as PCI-DSS ISO 17799, or something else reasonable.

What security module add-ons or appliances are in use?
Each web server is installed with security enhancements (ModSecurity, URLScan, etc.) for an additional layer of security. Baseline security-rules are enabled to help prevent SQL injection, cross-site scripting, buffer overflows, and worms/viruses.

*Bonus points for application firewall appliances or reverse proxy configurations

2) Software Development Process

Typically, mature e-commerce software packages are upgraded with new features once every three months. Perhaps even without your knowledge or any forewarning. Bug fixes, depending on the severity, may take place even more often. Any good security experts will tell you that changing even a single line of code can introduce a new vulnerability. Having a methodical development process in place is fundamental to developing solid code.

Questions and Good Answers

What were the security considerations and design guidelines used during the software development process?
Security was a software design requirement from the very beginning. The software development group was given a strict set of security guidelines to follow during development and quality assurance phases utilizing best practice standards. Special attention was given to performance, scalability, fault tolerance, and resilience against web-based attack. Our internal guidelines specified the use of strong encryption algorithms, strict input sanity checking, least privilege, protected data storage, detailed documentation, etc. Each application business process possesses its own criteria for audit controls and testing.