But network perimeter defenses hardened and security advanced over the last several years, forcing cybercriminals to adapt. Nowadays, the new shiny target is web applications, and attackers are feasting on their inherent weaknesses.
Because they rely on an internet browser for user interaction, web applications let users avoid traditional perimeter security defenses, such as intrusion detection systems, firewalls and anti-virus software, according to Symantec's Internet Security Threat Report. That is why between July and December 2005, nearly 70 percent of the vulnerabilities disclosed to Symantec were associated with web applications.
To put that alarming statistic in perspective, only a year earlier, web applications were responsible for just under half of all vulnerabilities, according to Symantec.
But there's more bad news. A growing number of companies, with cost savings in mind, are inviting even more risk by choosing to have somebody else maintain control over their
crucial applications, industry experts say. These organizations prefer to outsource application maintenance to an application service provider (ASP), located either in the United States or abroad, particularly India.
This is a market growing at an annual rate of about 15 percent, estimates Rick Dyer, director of product management for IT solutions at Verizon Business.
Many shops with tight budgets and a limited IT staff, particularly small- and medium-sized enterprises, engage the ASP to run their software for them. Hosts let companies buy software as a service and tap into their data center, rather than companies themselves owning a software license and the requisite hardware. Considering it saves organizations a significant amount of money and relieves a sizeable burden off their employees, outsourcing offers an attractive business model, security experts agree.
"[Without ASPs], you pretty much would need a full-time person, a rack of equipment, development and an intrusion prevention system," says Jeff Williams, chairman of the Open Web Application Security Project (OWASP).
And application maintenance can be tedious, says James Whittaker, founder of Wilmington, Mass.-based Security Innovation, and professor of computer science at the Florida Institute of Technology in Melbourne, Fla. But, he adds, for an overworked, understaffed IT department, it can be especially problematic.
"What a crappy job," he says. "You've got 2,000 computers and each of those is running a different configuration of applications. The idea of ASPs is one potential solution for this sort of IT hell administrators find themselves in."
For some companies, outsourcing is a no-brainer solution.
"Its [applications] are not their core competency," says Howard Schmidt, former White House cybersecurity adviser. "It's easier to outsource than to build and maintain."
A dicey proposition
But outsourcing exposes organizations to a new element of risk, complicating even further the already murky world of web applications, experts say. As the gatekeepers of critical data for potentially thousands of companies, ASPs present an inviting target for cyberthieves.
"Anytime you have a nexus of something, if I could target that router, I could cause damage not just to that router but to the networks that depend on it," says Marcus Sachs, deputy director in the Computer Science Laboratory at SRI International, a Menlo Park, Calif.-based nonprofit research and development organization.
Companies must properly evaluate the ASPs to determine everything -- from how they handle patching to how they respond to major security incidents, according to many industry players.
"The big concern for everybody is what does the hosting company provide in terms of security or assurance of your data?" Sachs says. "Even though they're doing backups so availability is always there, are they also providing against [inadvertent] change so you have integrity in place?"
At GoDaddy.com, a leading domain registrar and website host, shared-hosting servers offer file- and kernel-level "sandbox" isolation for users, says Mike Chadwick, vice president of technology. The Scottsdale, Ariz.-based company has doled out 12.6 million domain names since its founding in 1997, and it currently hosts about one million sites for companies, mostly small organizations, says Warren Adelman, GoDaddy.com president and chief operating officer. Most of those sites run simple applications, such as shopping carts or blogs.
"They come to us because we make it easy," he says. "We help save them the commodity of time. We help them with maintenance and availability. We absolutely appeal to small business."
As another example, Verizon Business has four data centers, known as smart centers, across the world and offers capabilities to about 3,000 servers, many used by large companies running complex applications, Dyer says. Customers there are placed on dedicated servers.
Physical security surrounding the four data centers is also pivotal to the overall protection plan, Dyer adds. Only Verizon Business employees are allowed access, and they must use biometric hand-scanning to enter the buildings.
Burden is on the customer
But while the ASP ultimately is responsible for the upkeep of the applications, the onus falls on the company doing the outsourcing to ensure the ASP vendor is security conscious, experts agree.
Companies -- especially mom-and-pop shops -- may lack the technological expertise to perform the work, but still must ask the right questions and maintain a continual relationship with the hosting service, industry leaders contend. This, however, is easier said than done.
"What happens most frequently is people choose an ASP provider based on features, and they don't ask all the questions about security that they should," OWASP's Williams explains. "You're really using these applications at your own risk, but what is the risk? You have to have more information if you're going to figure it out."
Schmidt says companies must bombard the ASP with questions, such as how they conduct patching for vulnerabilities; whether they run filters for virus, phishing and spyware attacks; and how they report security flaws.
"Have that two-way communication," he says.
The best way to guarantee performance is to develop a binding contract between the outsourcer and the vendor, experts recommend. This service level agreement (SLA) provides the company with a means of legal recourse should the ASP waiver on its security commitment. At the minimum, the SLA should cover how the ASP is handling its obvious responsibilities: response time, delivery, backups, updates and maintenance.
But getting companies to understand the importance of an SLA could be difficult, especially considering some organizations hired the ASP in the first place because they themselves lack IT expertise.
"Some companies don't even know what application security is," says Dave Grant, senior director of product management at Watchfire, a Waltham, Mass.-based application auditing firm. "The chance that they include that language in their service level agreement, that's probably not happening for a lot of companies."
Sachs, meanwhile, recommends companies witness firsthand what the ASP has to offer before signing on with them. All too often, companies forget about due diligence and choose a host for many unfounded reasons -- even "how cute the receptionist answering the phone sounds," he says.
"I would recommend you physically go to their site," Sachs says. "If you're going to be outsourcing millions of dollars of your property, I think that's worth a plane ticket and a night in a hotel room."
Still, in light of today's targeted and financially motivated attacks, companies are becoming proactive in their assessments of ASPs, Verizon's Dyer insists.
"We're getting a lot more questions about how configurations are set up," he says, adding that customers are encouraged to run audits or use a checklist to ensure safety directives are in place.
Protecting an ASP and its guests
Protecting a shared infrastructure boils down to three major components: privacy, authentication and attack prevention, says Pete Abrams, vice president of marketing for Santa Clara, Calif.-based NetContinuum, an application security company.
For web applications, data validation is the key, says John Adams, executive vice president of engineering and operations at Needham, Mass.-based certificate provider GeoTrust. Hackers can exploit applications through cross-site scripting, SQL injection and buffer overflows, and ASPs must be actively looking for that type of behavior.
"If you put in the right JavaScript, bad things can happen," Adams says.
Adds Abrams: "The only defense is making absolutely sure your source code is 100 percent immune from these types of attacks, which is an extremely difficult proposition."
GoDaddy's Adelman says the company's prime concern is guarding the data center so that one customer's problems cannot affect another's. The company can watch for shoddy applications and advise customers how to fix them -- but the end product is up to them.
"What we can't guarantee is if a customer's code is secure," he says.
Standards on horizon?
Whittaker says he predicts ASPs someday will be governed by benchmarks that "naturally" will develop through industry consortiums. For now, several companies, including Cisco and the SANS Institute, offer ASP evaluation guidelines. Until official points of comparison are in place, experts seem divided over whether to outsource hosting capabilities.
"It's going to end up going on reputation, the same way you trust your money with a bank," Whittaker says. "But I don't think companies are going to be able to make that determination. The whole idea is that the companies are less technically savvy than the application services."
Others think the larger companies can afford to keep applications running on premises, assuming they are placed on dedicated servers. In a shared-hosting environment, isolated applications are more at risk for attack, they say.
"In a lot of cases, at least for the critical applications, I think running them in-house makes the most sense because you can keep control over them," says Williams, who also serves as CEO of Aspect Security in Columbia, Md. "And that's what we're seeing the big shops doing."
But, he adds: "I think [an ASP] is a good option for some smaller shops that can't really stand up their own infrastructure."
It does not hurt, either, that ASP vendors likely employ knowledgeable IT security workers who are well-versed in running applications, experts say.
"A lot of the issue of outsourcing versus insourcing gets down to the competence of the people in charge," Adams says. "If you expect outsourcing to provide more disciplined services, you have to make a judgment, 'Is that person going to do a better job than I would?'"
In the end, the theory is that any hosting service should be taking security seriously -- or they would be out of business, experts contend. But if a vendor has never been hit with an attack, there may be no way to guarantee safety.
"So far [ASPs] have proven to be reliable," says Whittaker, who has authored several books on software security. "There haven't been any huge breaches. The question is, are they secure or have they just not been a target? Until they become a target, we won't know if they're secure."
But Schmidt predicts growing problems as the ASP market continues to flourish and evolve.
"As this becomes a more lucrative business, as we move toward an ASP model and new ASPs emerge, they're going to feel like they need to be first to market and don't need to spend extra time to add security," he says. "The fear is there."
We welcome your comments. Email us at [email protected].
EVALUATION: Application services
While there are no official agreed-upon standards, there are detailed ways for a company to evaluate an application hosting services' IT security credentials.
The SANS Institute offers a three-page document that "defines the minimum security criteria that an ASP vendor must meet in order to be considered for use" by a company. A security services company can review the vendor's responses and suggest improvement.
The more detailed the vendor is with its responses, the better. SANS offers a few
examples. Here's one:
Bad: We use encryption.
Good: All communications between our site and [the company] will be protected by IPsec ESP Tunnel mode using 168-bit TripleDES encryption, SHA-1 authentication. We exchange authentication material via either out-of-band shared secret, or PKI certificates.
SANS also says the equipment hosting the application must be in a physically secure site, the hosting network must be "air-gapped" from any other customer, and the ASP must list current patches on the hosts and explain how and when patches are applied.
To view the complete document, visit www.sans.org/resources/policies/Application_Service_Providers.pdf.
Network equipment provider Cisco also has developed a methodology to evaluate the plethora of ASPs in the market.
The criteria will help outsourcers protect against data and image loss, possible financial instability by the ASP, and the accidental sharing of corporate data with the ASP's other customers.
"The ASP may be an expert in its area of expertise, but its security function may be immature," the Cisco document states. "While some ASPs are large and mature enterprises, others are niche players or small 'mom-and-pop' shops. Their security can range from existent to nonexistent."
To review Cisco's report, visit www.cisco.com/web/about/security/intelligence/05_08_asp-eval.html.
-- Dan Kaplan
FINDING FIXES FOR: Most common blunders
1 Insufficient input validation: This could lead to SQL injection, cross-site scripting or other unauthorized data access.
The fix? Organizations should set "deny by default" access during the input process.
2 Parameter manipulation and logical access control: The application should keep track of user access through management information instead of passing variables.
The fix? Keep proper security checks in place to ensure authorized access to data.
3 Improper security: Safety measures often are applied too late in the development cycle.
The fix? Implement security review checkpoints at various intervals, from the planning through the deployment phase.
4 Custom algorithms and session ID generation functions: They can lead to hackers gaining unauthorized access.
The fix? Use industry-accepted formulas.
5 Insecure supporting network architecture: Anyone with access to the internal network may be able to access the applications.
The fix? Design a hardened network that will protect against internal and external threats.
-- Chris Foster, senior security consultant, Cybertrust; Damon Cortesi, senior security consultant, Cybertrust
