To secure web applications, makers must take ownership of their lifecycle management, reports Deb Radcliff.
LulzSec uses zero-day on PBS! Hacker group raids Sony Pictures in latest breach! Mass injection campaign affects 3.8 million pages!
These are just some of the web application breach events to make headlines in 2011. In just the first half of this year, the number of attacks on websites increased by 65 percent over 2010, and surpassed the total number of attacks tracked in all of 2009, according to HP's “2011 Mid-year Top Cybersecurity Risks Report.”
Most troubling is that the exploits into these applications – SQL injection attacks, cross-site scripting (XSS) and buffer overflows – continue to take advantage of vulnerabilities in the code and functional aspects of applications that security experts have known about for decades, says Ed Adams (left), CEO of Security Innovation, a software, training and consulting services company based in Wilmington, Mass.
“Today, it is inexcusable to allow a SQL injection into a public-facing web application where criminals can extract data on customers, take down servers or set up drive-by downloads onto victim browsers,” he says. “And yet, all too often, these things occur.”
Frameworks and tools are available to create cradle-to-grave policy around secure application development and maintenance. Yet these SQL, XSS and overflow vulnerabilities remain among the top web application security risks, according to listings by the Open Web Application Security Project (OWASP), the SANS Institute, and others.
What's needed, many experts say, is a wholesale shift toward secure coding and application development practices. Yet, despite the sense in creating strong foundations, builders often leave the safety aspects of their applications to people who have little coding background.
Eye to eye
“In the development world, security is another aspect of software quality, which is measured on functionality, reliability, performance, accessibility and availability,” Adams says. “Educating developers to understand security in terms of how they measure their applications, then, is a key component to bringing applications into compliance.”
Education is a foundation that Security Innovation is founded on – both for its 20 internal developers and for large organizations with up to 4,000 developers for which the company provides computer-based and instructor-led training.
In addition to private firms offering training, community education is available through groups like OWASP, which houses a free security library for Java, PHP, .NET, ASP and Haskell languages, and has many training modules.
And, increasingly, development communities are also offered rewards for finding bugs.
As one would expect in today's threat climate, the demand for application developers with secure coding background is strong, particularly for newer social networking and mobile applications delivered over the web, says David Foote, CEO of Foote Partners, based in Vero Beach, Fla.
According to the latest edition of Foote Partners “IT Skills and Certifications Pay Index,” coders with SANS GIAC secure programming for .NET and Java, the (ICS)2 Certified Secure Lifecycle Professional (CSSLP), or the EC-Council Certified Secure Programmer (ECSP) can earn pay premiums averaging eight to 12 percent of base pay and even more with additional experience.
“We identify secure software programming as one of the three best security career bets,” Foote says. “The caveat is that secure coding is hard to do, and market demand far exceeds the available talent supply. It takes years of hands-on practice, as well as training, to develop the skills.”
Sharing tools and frameworks
Education is nothing without the right tools and frameworks to validate and measure the security of applications under development and in production, say experts. In the commercial world, for example, Microsoft several years ago introduced its Trustworthy Computing framework. And Symantec, with 7,500 software engineers, measures and monitors its applications through a process called Symmunize.
This initiative grew out of Symantec's vulnerability analysis on its applications, which incorporates such techniques as fuzzing (to test input parameters against SQL injection). For upgrades, testing also includes static source code analysis to look for errors before code is compiled.
By integrating security into the development process, from concept into production, Symantec has experienced a marked decrease in security advisories over the past four years, says Cassio Goldschmidt, senior manager of product security at the company. These are the kind of metrics purchasing organizations should look for when acquiring new applications that are developed commercially, he adds.
Other large tools vendors, including IBM and HP, are also now offering integrated suites that can be used to test internally developed and commercial applications. Both companies have made strategic acquisitions in recent years that bring together static and dynamic analysis tools so application owners can manage security from development through production, including ongoing maintenance and remediation.
For example, West Virginia University, in Morgantown, with 31,500 students and 6,600 employees, is using IBM Rational AppScan Enterprise to support applications deemed to contain regulated data, such as student academic, employee, health or financial information.
“I could tell IT professionals on campus,” says Alex Jalso, assistant director of the office of information security at West Virginia University. “I've been in their shoes managing applications like theirs, and help them understand that what we're providing is a service – not a requirement that would get in the way of their incredibly busy schedules.”
He adds that it took convincing to show he was not mandating any more rules, but was helping to achieve compliance through delivering secure apps.
At the university, application owners work with the office of information security to develop a scan profile based on their program's attributes (e.g. operating system, programming language, application location, and resident data subject to legal governance, such as student information). Walkthroughs then provide additional information for the scan profile, including the application's purpose, functionality and processes.
Once the application's scan profile is complete, a security scan is scheduled using IBM's assessment tool, Rational AppScan Enterprise. This product identifies severity within the application. An application that has information and is used by all pupils would receive a high priority and impact ranking. It would be held at a higher level of remediation than one with a lower score.
Since implementing the standard version of AppScan in 2009, and then upgrading to the Enterprise version in 2010, West Virginia University has experienced an increase in the number of applications it has scanned – from two in the last six months of 2009, to 40 for the first six months of 2011, Jalso says. There are also other benefits, such as increased voluntary participation and the ability to provide new, value-add services, he says.
“We just underwent a major summer upgrade on one of our student management systems, and the application owners came to us very early in the process, asking us to verify the improvement in a test environment prior to going into production,” Jalso says. “This we consider a success.”
In addition, the university was able to work with IBM Rational to implement its Policy Tester module to identify compliance in web-based applications with the American Disabilities Act.
Prepare for new attacks
Even with the most secure coding processes, attack techniques that take advantage of vulnerabilities on new types of applications – such as ones that are AJAX-enabled, whether written in Ruby on Rails or PHP languages, and deployed as an iFrame or mobile app – will be a fact of life and lead to zero-day exploits, warns Jeremiah Grossman, co-founder of web application security company WhiteHat Security.
“[The online collective] Anonymous is known to target websites using PHP File Include attacks, which are similar to SQL injections, whereby a remote intruder can execute commands on the server and compromise the system,” he says.
There's no after-the-fact solution that can be applied to fix all the millions of PHP applications already in circulation, he adds. However, developers need to be aware of these and problems with all their applications that house and process sensitive data.”
Until the burden of security is shifted back to development teams, the likelihood of SQL injections and other common attacks on web applications will only accelerate, Security Innovation's Adams says. “This is especially important as we push more of those applications out to mobile devices and the cloud.”