Code surety: Secure by design
Code surety: Secure by design
Total security of applications is probably a pipe dream. However, starting a secure design framework today will markedly improve applications in the future, reports Deb Radcliff.
Applications are anything but static. They may start out with one set of functions, then elements are added on and merged with other applications. As they grow more complex, their vulnerability density increases – a particular problem for applications hosted on the web and migrating to the cloud.
“Web applications are the top attack target because they're so difficult to protect,” says Jim Manico, volunteer connections committee chair for the Open Web Application Security Project (OWASP), and VP of security architecture for WhiteHat Security. “Today, cloud deployment is all web driven, meaning cloud and web application vulnerabilities are on a direct collision course.”
Developing a “secure by design” framework for these technologies is challenging enough, says Michael Coates, volunteer OWASP chair and director of security assurance for Mozilla. Once developing organizations get their new applications under a trusted framework, the next hurdle is maintaining a safeguard posture as those applications change over time and move into the cloud.
Already struggling to ensure their web applications are protected, the majority of security and compliance professionals believe the current trend of deploying to the cloud invites further vulnerabilities, according to a 2011 data security in the cloud survey of 1,000 security and compliance by the Ponemon Institute and encryption vendor Vormetric. In the survey, less than 40 percent of respondents trust their own technologies to secure their sensitive data in the cloud – and less than one-third encrypt their sensitive data in the cloud.
Further, encryption is a cornerstone design point that should be considered in applications with sensitive data, yet it is one of the most difficult processes to achieve in the cloud, say experts.
What other elements are needed in a secure design plan? It depends on who you ask, what vertical industry they are in, what type of cloud or web services they're designing, and so much more, say Manico and Coates at OWASP.
However, there are several common design areas to focus on that apply to both web and cloud applications. This includes gathering business requirements; development and testing; access, authentication and data protection; configuration and zoning; visibility; and maintenance and continuity.
Applications are written and upgraded by different coders at different times, and usually with no master plan, say experts. They contain a patchwork of code, objects and platforms with known vulnerabilities, such as might be found in HTML5, various flavors of Java, PHP, Ruby on Rails, iFrames, and more.
With these applications going virtual, into the cloud and even mobile, secure design must include ways to test the application before it's even developed, then during and after development, says Gary Phillips (left), board member for SAFECode, and senior director of technology assurance research at Symantec.
SAFECode, which stands for Software Assurance Forum for Excellence in Code, is supported by other large developers (including Microsoft, Adobe, SAP, Juniper Networks and Nokia) to advance best practices for more reliable software, hardware and services.
According to Phillips, secure code development practices are on the rise among commercial vendors. And, this is substantiated by a decrease in web application vulnerabilities, according to the latest “IBM X-Force 2011 Mid-year Trend and Risk Report.” For the first time in six years, the number of web application vulnerabilities declined, from 49 percent to 37 percent, of all vulnerabilities reported in the first half of 2011, compared to the same time frame the previous year.
On the other hand, the number of vulnerabilities listed as critical tripled, while the report authors expect mobile exploits to double in 2012. SQL injections, XSS, input validation and numerous traditional attack methodologies are still prevalent in web applications, says Jack Danahy (right), director of advanced security at IBM. These, he adds, should not be migrated into the cloud.