Layered defense for software applications
Securing your applications has never been more important, and there are lots of ways to do just that -- as long as you don't mind onions
By Michael Fitzgerald
April 09, 2012 — CSO —
What do application security programs and onions have in common? Layers, says Ken Pfeil, global security officer at Pioneer Asset Management.
Securing corporate applications is a top priority for most security executives. Application vulnerability was the most feared threat for 73 percent of respondents to a 2011 study by (ISC)2, topping mobile devices, viruses and worms, and internal employees.
[Also read Vulnerability management basics]
But while some companies might try to secure applications by investing in a tool—such as penetration testing or Web application firewalls—a robust application security program should take a multi-layered approach that addresses the operating system, the network layer and the development of the code itself.
Pfeil, for instance, aims his application security efforts at a variety of targets, from business executives to developers. His program includes developing business-risk-analysis reports, scheduling training sessions with development leads to gain their buy-in (and hopefully turn them into security advocates), and running a "How to Hack Web Apps" class twice a year.
These classes, he says, encourage developers to build security techniques into their code from the start, such as by applying Microsoft's Managed Code Security Guidelines and criteria from the Web Application Security Consortium. Ultimately, Pfeil says, his team uses 47 application security checks, from basics such as cross-site scripting to less-obvious measures that he says are proprietary and can't be shared.
No Silver BulletSuch a nuanced approach is necessary to address today's continuously changing threat landscape and complex application environments, including mobile apps, Web 2.0, custom code, commercial software, and departmental and outsourced applications.
With every code update, a new risk can be created, and even interactions between applications can cause unanticipated security problems. This complexity explains why there is no silver bullet for application security; instead, it requires a disciplined effort that involves time, money and people.
Relying on tools alone—such as penetration tests that simulate attacks on networks and applications—is a bit like playing whack-a-mole, according to Andy Ellis, CSO at Akamai Technologies. "They only show you how bad your code is," he says. Finding the problem doesn't solve the problem, and pen tests also don't reveal all your code gaps. At Akamai, for instance, after a defect was revealed through pen testing, "we had a security researcher look in the [code] library, and lo and behold, we had 20 other defects," Ellis says.
Jennifer Bayuk, a security consultant and program director of the Systems Security Engineering program at the Stevens Institute of Technology, is similarly skeptical of "bolt-ons" that sit on the application and check how secure it is, such as Web application firewalls. "You use a Web application firewall because your code is buggy and you know it," she says.