Decoding Application Security

Today's Web-connected applications need more than just firewalls. Application-security gateways can't grow up fast enough

Ah, the Web.

It has generally made business easier and cheaper, but specifically made information security harder and more expensive. Companies in all sorts of industries are rushing to create Web-accessible applications so that their customers can more easily get at data or manage their own accounts. Alas, these new systems draw along in their wake a bevy of new, application-specific attacks.

And so application security is a top-of-mind issue for CISOs. Consider the case of Depository Trust Clearing Corporation (DTCC), which provides clearance, settlement and information services for a variety of financial-services transactions. Its Web applications include a service called Domestic Tax Reporting Service, which accumulates year-end tax information on various investment types in a centralized database. Customers log in to double-check their tax reporting. Not the kind of application a company wants hackers rifling through. So in addition to the usual stable of firewalls, DTCC is using application-security gateways from Teros to protect against common application-level attacks such as buffer overflows and SQL injection - both of which involve a hacker tricking the host system into executing unwanted commands. DTCC has been testing the Teros product (which costs about $US25,000) since September 2003, and DTCC CISO Paul de Graaff is sufficiently pleased with the results to plan installing more devices this year. Eventually DTCC will use the gateways to protect transaction-based and consumer Web applications, both customized and off-the-shelf.

"Application security has become my number-one priority," says de Graaff.

CISOs' number-one priority, of course, usually becomes security vendors' number-one market opportunity. Security product purveyors are responding, launching products specifically designed to provide application-level security that traditional firewalls don't deliver. CSOs and CISOs report some early successes with application-security efforts, but also a number of important reasons to consider treading lightly as application-security products and processes mature.

Your Buffer Overfloweth

Unlike certain worms and viruses that exploit network security weaknesses, Web application attacks go after flaws in the applications themselves. For example, an intruder could tamper with part of an HTTP request and use buffer overflows to corrupt a Web application by having it execute arbitrary code. In this way, the attacker could in effect take control of a Web or application server.

There are several approaches to preventing this kind of attack. One is code inspection: trying to secure your homegrown applications by more carefully examining your source code, looking for common coding errors and vulnerabilities. (For more on this approach, read "Code Violations" page 38) Another approach is scanning your Web applications from the outside - as an actual attacker might. This is most commonly done by an outside provider, often under the heading of vulnerability assessment. Application-security gateways, such as those DTCC is deploying, are a third approach. Gateways scan incoming network traffic in greater detail than does the conventional perimeter firewall. Typically, a firewall lets HTTP requests pass through - HTTP being the standard protocol for transmitting Web pages. An application-security gateway, however, can be set to sift through the HTTP data stream, looking for SQL code embedded in places where it shouldn't be. (If a Web application includes a field for customers to fill in their password or address, and instead the "customer" types in a long string of nonsense with embedded SQL commands, that's a pretty reliable sign that there's malice afoot.)

One of the distinctive features of Web-application security is that it employs a positive security model that monitors applications to ensure they behave as originally intended, without relying on attack signatures, says Richard Stiennon, vice president of research for network security at Gartner (US). The products learn normal application behaviour and differentiate it from abnormal behaviour such as buffer overflows and SQL injection. "Most attacks on the application side are customized for a particular application," and the positive model - recognizing appropriate behaviour instead of trying to learn the signature of every possible inappropriate attack - is more effective at blocking these hacks, says Stiennon.

Why are application-specific attacks so rapidly on the rise? Aside from the quick proliferation of Web-attached applications, Stiennon says it's not all that difficult to exploit application vulnerabilities - probably easier than writing a virus. DTCC's de Graaff also observes that many programmers lacking Web expertise have been pressed into writing Web applications quickly (for competitive reasons), which results in a lot of vulnerable code.

For many organizations, the solution will be application-security products such as Web application gateways. The Yankee Group estimates the market for Web application-security products and services will grow to $US1.74 billion by 2007 from $US140 million in 2002. "CSOs and CISOs recognize the need for this, and they are aggressively evaluating products," Yankee Group Senior Analyst Eric Ogren says. "I'm not sure many are ready to take the plunge, but a lot of the vendors have lots of pilots going on."

Indeed. Among those providing Web application gateways are Kavado, NetContinuum, Sanctum and Teros. Check Point and NetScreen have begun working application-security features into conventional firewall products. Vendors such as Sana Security, SPI Dynamics and StillSecure feature some aspects of application security in their products as well. For example, Sana last year launched host intrusion-prevention software called Primary Response, which detects and blocks attacks at the application and operating-system level. The software is based on a technology that analyzes application code and builds profiles of normal behaviour, then continuously monitors applications to find abnormal behaviour. StillSecure offers a product called StillSecure VAM, a vulnerability-management system that detects security weaknesses in databases, Web servers, application servers and e-mail servers.

Cautious Optimism

Early adopters, like DTCC, report promising results with these technologies.

Will Pelgrin, director of the New York State Office of Cyber Security Critical Infrastructure Coordination, says the state is exploring application-security products to complement its firewalls, intrusion-detection systems, and vulnerability scanning, and has included application-security best practices in an April 2003 security policy being implemented by all state agencies. "We believe very much in defence in depth - security needs to be in layers - and application security is an important aspect of that," says Pelgrin. He won't disclose specific application-security products the state is considering but says it's exploring a variety of technologies.

Similarly, the US Department of Energy has been evaluating a gateway from NetContinuum since May 2003 and has seen a significant drop in its vulnerability to application-level attacks, says John Dias, senior security analyst at the department's Computer Incident Advisory Capability (CIAC). One of CIAC's functions is to conduct penetration tests of all the Energy Department's Web sites, and Dias says the group threw most of the known application-specific and server-layer HTTP attacks against the gateway to test it. "They were all very easy for the gateway to detect and block," he says. "These things would have gotten past the firewalls." Dias also notes that his group has "a small army of people watching all the application vendor sites [for vulnerabilities and fixes], but when you look at the amount of information you have to deal with, it's no longer practical" to protect applications that way.

De Graaff notes an extra benefit: Feedback from its gateways will help DTCC application developers write better software. For example, information from the gateway tells programmers that an application is not performing proper input validation. Look across several applications and most common errors will emerge. At DTCC this data will eventually be used to create a list of things to avoid in future application development, de Graaff says.

Yet despite such positive feedback, and the pressing nature of the application-security problem, industry watchers like The Yankee Group's Ogren say gateways have a way to go before they're considered as mainstream as virus scanners and intrusion-detection systems. What's holding application security back? Round up the usual suspects: concerns about performance, complexity, maturity, budgeting and training.

For starters, some CISOs are concerned about using application-security products because of the potential impact on application performance, says Howard Schmidt, vice president and CISO at eBay, and a former adviser to the White House on cybersecurity. "But the [latest] products are doing a better job of making sure they don't have an impact on the application other than to protect it," he says.

Second, there's complexity. Implementing application security is not without hurdles and management issues, and the technology is still maturing. De Graaff says application gateways are additional components to monitor in an increasingly complex security environment. Scalability of the gateways isn't a concern at this point, he says, but might become an issue as companies run more applications through the devices. If they can't handle the increased workload and DTCC has to purchase more devices, that will add to the complexity.

Third, the technology is still new and relatively untested in large-scale rollouts. Despite the promised benefits of application security, Schmidt believes some organizations might be hesitant to deploy products. "It will take extra work [by vendors] to convince people that this will not have a negative effect on systems," he says. For example, will application-security products interpret a once-a-month reporting function as out-of-the-ordinary activity and therefore shut down an application? Schmidt is also concerned about how application-security products will work with customized applications where "normal" behaviour is not always clearly understood.

"As there are more deployments and case studies about companies that have implemented application security, there will be more [evidence] that this is something good," Schmidt says.

Pelgrin says effective deployment of application security depends as much on management as on technology. Effective product deployments will have to be accompanied by a cultural change, including greater awareness of application vulnerabilities and educational programs about how employees can protect against these vulnerabilities.

Another issue is the difficulty of getting funding for yet another layer of security. Jack Jones, CISO at Nationwide Insurance, says, in general, it's tougher to get approval for security investments than in the past, and that applies to application security as well. Nationwide uses application-security products such as scanners that check code in new applications, and has launched training and awareness programs about application security and vulnerabilities. Jones says he was able to justify a budget request by doing a critical analysis that showed several components of the risk landscape had changed over time. For one thing, the sheer volume of attacks had risen. For another, vulnerability increased because hackers had become more adept at exploiting applications and more applications were Web-enabled. Third, the potential impact on the business increased because the company was offering more products and services online.

As with all new technologies, training is a key issue for application security, says Greg Murray, CISO at Information Resources Incorporated (IRI), a sales and marketing research company that recently began using Check Point's FireWall-1 NG with Application Intelligence and is evaluating other application-security products. "We're constantly training people to make sure they understand how the technology works and know what the results should be," Murray says. Creating business-partner awareness about application-security vulnerabilities and safeguards is also critical; "This is a supply chain issue," he says.

Facing a few hurdles, some organizations will remain hesitant to adopt application security. Many of those companies will likely face a rude awakening such as having corporate Web sites taken over by intruders, Gartner's Stiennon predicts.

Smart security leaders won't wait that long.

SIDEBAR: How to Explain It to Your Boss

If your CEO demands a 30-second lift ride explanation of application security, these (almost) jargon-free analogies might come in handy

Buffer overflow Imagine a hospital waiting room that gets so overcrowded that the extra people spill into the next room, which is foolishly unlocked, and which happens to be the patient records room. Hackers make this happen intentionally (by cramming too much information into a Web site's input field) in order to get access to the areas they shouldn't.

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies