Eyeballing the Security of Application Service Providers

A large number of banks, credit unions, product merchants, healthcare providers, and others are taking advantage of Application Services Providers (ASPs) to enhance their on-line offerings and reduce IT cost. Popular ASPs offer attractive service packages that include the necessary hardware and software infrastructure, such as fast, reliable machines, large bandwidth pipes, disaster-recovery policies, several layers of built-in fault tolerance, and support.

ASP customers don’t have to build a complex web-enabled infrastructure or grow the staffing requirements to manage it. Customers are free to carry on with business core competencies without worrying about development overhead. What we must remember is that when you outsource your website to an ASP, you are also outsourcing your security.

ASPs must be treated like a trusted business partner as they become the guardians of your website and sensitive customer information. Their security MUST be a priority requirement. If they are insecure, your business is insecure. It’s just that simple.

Also see SAS 70 Explained

If and when your ASP hosted web site is hacked, you will likely suffer financial loss as a result of downtime or theft of intellectual property. Funds and merchandise may be illegally transferred. There is administrative overhead in responding to and investigating the incident that can cost your business time and money. Also, regulations like GLBA, HIPAA, SarBox, and the various security breach laws are an ongoing concern and complicate the matter.

Lastly, you may suffer unquantifiable brand damage when the situation is made known to the press, the Federal Trade Commission, your customers, your competitors, and your boss. When searching for an ASP that is right for your organization, you need to be aware of its security practices.

ASPs develop, deploy, and manage custom web application software that enable websites to conduct business online. Online storefronts using shopping carts, credit card processors, banks using wire transfer and bill-pay services are a few examples. Order tracking, customer service, service configuration, content management, and dozens of other outsourced service implementations are common as well. For these transactions, the ASPs web application code is running the show from front-end to back-end. From a security perspective this means that if the web application is vulnerable to any of the Web Application Security Consortium’s (WASC)documented 24 classes of attack, including SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, your websites are at risk for compromise.

An ASP must provide security equal to or better than your company could achieve alone. It’s vital that you are aware of threats risks that may occur and going to be out of your control. When selecting an ASP to protect and carry out your online business, it’s in your best interest to do your homework. Information security needs to be approached by defense-in-depth and listed below are some web application security guidelines to consider during the review process. Essentially the list contains recommended questions combined with answers you might receive from ‘good’ security conscious ASP.

1) Platform Security

All secure systems need to be built on a solid foundation. In the case of web application security, the foundation is the operating system, web server, and perimeter firewall. These three components must be properly configured and use the latest and greatest stable releases. Patches also need to be diligently maintained to lock out hackers, worms and viruses.

Questions and Good Answers

How do you secure the network, host operating system and Web server?

We use a recent version of (insert operating system), a hardened security configuration, and patches are diligently applied. The network topology is segmented to support a DMZ and an internal private network using non-routable IP Addresses. Installed software packages are kept strict and limited. Any non-essential network listening services are disabled. Only authorized company employees can remotely connect to and administrate the servers over encrypted link (SSHv2, VPN, Two-Factor Authentication, etc).

*Bonus points for file integrity checking, host-based firewalls, and enforcing strong SSLv3

What security system configuration standards do you follow?

For both operating systems and web servers, we follow a corporate standard configuration policy. We run automated baseline analysis across the network on a routine basis looking for any out of compliance configurations. For the web servers we use industry ‘best practice’ standards for configuration including suppression of error messages, Denial of Service protection, and OS permission restrictions.

*Bonus points if they reference an industry standard such as PCI-DSS ISO 17799, or something else reasonable.

What security module add-ons or appliances are in use?

Each web server is installed with security enhancements (ModSecurity, URLScan, etc.) for an additional layer of security. Baseline security-rules are enabled to help prevent SQL injection, cross-site scripting, buffer overflows, and worms/viruses.

*Bonus points for application firewall appliances or reverse proxy configurations

2) Software Development Process

Typically, mature e-commerce software packages are upgraded with new features once every three months. Perhaps even without your knowledge or any forewarning. Bug fixes, depending on the severity, may take place even more often. Any good security experts will tell you that changing even a single line of code can introduce a new vulnerability. Having a methodical development process in place is fundamental to developing solid code.

Questions and Good Answers

What were the security considerations and design guidelines used during the software development process?

Security was a software design requirement from the very beginning. The software development group was given a strict set of security guidelines to follow during development and quality assurance phases utilizing best practice standards. Special attention was given to performance, scalability, fault tolerance, and resilience against web-based attack. Our internal guidelines specified the use of strong encryption algorithms, strict input sanity checking, least privilege, protected data storage, detailed documentation, etc. Each application business process possesses its own criteria for audit controls and testing.

How often is the web application code updated and is it security tested before each release?

Our web application code is typically updated every quarter with new features, performance enhancements, and security improvements. Using a variety of tools (vulnerability scanners, source code scanners, etc.), our internal QA process rigorously tests each new feature in combination with existing features for proper combined functionality and security.

*Assessing the security of web application may require tens-of-thousands or more tests (more than any expert could test manually). And since this type of hacking occurs usually through the browser, testing is very different than Windows security. As a result, comprehensiveness requires making use of special purpose scanning technology.

What are the security considerations for the use of third-party source code or remote services?

When third-party code or remote services are utilized by our websites, they must be held to the same (or higher) security standards as ourselves. To provide assurances, all products by third-party suppliers must undergo an in-depth security assessment by an independent audit firm. Any identified security vulnerabilities are promptly resolved before being implemented in a production.

*Independent web application security assessments can be performed by a number of firms. Choose a seasoned vendor because experience counts.

3) Security Assessment Procedures

It’s important to ensure routine security assessments are performed on both the network infrastructure and web application software. This gives excellent visibility on what security is like ‘today’ rather than last year. Remember, a script-kiddie Nessus scan is simply not enough because full in-depth analysis is required. Verify that the security assessment reports specifically address web application security testing. This area is often overlooked by many ASPs and as I mentioned before represents a large portion of security risk.

Questions and Good Answers

Are security assessments performed internally or by a third-party? Also what security criteria are used for testing?

To validate our security posture, an independent audit firm performs a comprehensive security assessment on our Web applications and network infrastructure. Any identified security vulnerabilities are promptly resolved.

Are security assessments performed regularly and do they match the release schedule of the Web applications?

Our Web application code is updated routinely according to our product roadmap. During each release, Web application assessments are performed. Again, any identified security vulnerabilities are promptly resolved. This process ensures a high degree of security assurance for our customers.

May we review the latest security report?

Up-to-date security reports can be made available upon request.

*You may be required to sign a non-disclosure agreement

4) Contractual Liability and Customer Rights

In ASP service level agreements, contractual liability relating to security is normally placed squarely on the vendor for aspects they control. ASPs may also contractually assume liability to win your business and also because they are insured against loss. But this is not the end of your security due diligence process. As with many regulated industries, including Part 748 of the federal National Credit Union Administration rules and regulations, you need to treat a vendors security practices as you would your own. Its not possible to contractually sign away your legal responsibilities.

More information can be found in part 748 of the federal National Credit Union Administration.

Questions and Good Answers

Do you carry contractual liability in a case of downtime due to unforeseen circumstances (DoS, power outage, etc)?

While we take every precaution to ensure 100% uptime, but unforeseen circumstances do occur. We will credit customer accounts for any interruptions in service. In the unlikely event of a serious incident we carry comprehensive business insurance policies ensuring stable business continuity.

*It’s possible, though unlikely, that an ASP will take on an unlimited amount of liability due to an error in their service.

May we perform security tests on our website?

We understand that customers may feel more comfortable performing or contracting security assessments on their own websites. On a case-by-case basis we may authorize this activity. But, we ask to be notified well in advance of any testing to determine appropriate scope of the project. Certain considerations for our operations staff and intrusion detection systems need to be set in place.

*You’ll likely receive a certain level of administrative pushback, but in the end if you get it, its well worth the effort.

Will we be promptly notified in the event of unauthorized security breaches?

While we take security very seriously, our company and our customers understand that no security system is completely impenetrable. Unfortunate incidents do occur. In the unlikely event of a security breach, per corporate policy, we will quickly ascertain the scope of the incident and take immediate action to prevent further damage. If the incident affects one of more of our customers we will inform them of the details. Moving forward we will analyze the cause of the breach and implement permanent preventative measures.

*What you are looking for is a responsible vendor looking out for your wellbeing. This is important because there is no customer benefit for a vendor to keep the issue away from you. You should be able to take measures to protect yourself as well.

Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security, where he is responsible for web application security R&D and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent international conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman’s research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company’s hundreds of websites.