|
In recent years, the hacking community has shifted its efforts toward a new frontier:
the application layer. With most companies spending thousands, if not millions, of dollars securing the perimeter with network firewalls, intrusion prevent systems, and other devices, hackers have realized the lowest hanging fruit lies in the applications themselves. Vulnerabilities that exist in the code are being exploited to steal private data, conduct phishing attacks, deface web sites, and run any range of online scams. These vulnerabilities have lead to breaches exposing over 212 million records over the last 3 years.
How are companies responding?Business Software Assurance. This is the capability to address the problem of application risk within an enterprise. It’s the goal of ensuring the software that runs your business — whether it’s the code you developed internally, outsourced, purchased, or integrated from the open-source community — is secure and able to withstand attack.
This white paper provides an overview of the severity of the problem, the current hacking landscape, and the people, processes, and technology needed to develop Business Software Assurance in your organization.
With the advent of SOA, AJAX, and other Web 2.0 technologies, applications are becoming increasingly powerful and complex. With this complexity comes an ever-growing risk that security vulnerabilities will be introduced into applications. These vulnerabilities cannot be protected with a firewall, intrusion prevention system, or any other perimeter approach. They lie within the code and can be exploited by anyone who gains access to your Web site or your software. Unfortunately, developers are trained to build complex and feature-rich applications, and not applications that can withstand attack. Increasingly, the software applications that millions of people and businesses depend on every day are being exposed to escalating risks in the form of sophisticated attacks and other threats. Carnegie Mellon University’s CERT (Computer Emergency Response Team) tabulates comprehensive data on the number of software vulnerabilities reported each year. Between 1995 and 2007, the data CERT collected and analyzed from numerous sources showed that the number of reported security vulnerabilities increased an average of 37 percent every year.
Even more frightening are the vulnerabilities that are not reported. To gauge this number, the Web Application Security Consortium (WASC) analyzed 31,373 Web applications for common vulnerabilities. WASC’s research shows that these applications contained over 148,000 distinct vulnerabilities and includes the following details about them:
• 7 out of 10 were vulnerable to Cross-Site Scripting
• 1 in 3 aided attackers with Information Leakage
• 1 in 4 was susceptible to Content Spoofing
• 1 in 6 fell prey to SQL Injection
• 1 in 6 employed Insufficient Authentication
• 1 in 6 used Insufficient Authorization
• 1 in 7 allowed Abuse of Functionality
• 1 in 20 permitted Directory Indexing
• 1 in 30 was a victim of XPath Injection
Source: Web Application Security Consortium [2]
Despite compelling data to the contrary, many organizations continue to operate under the misconception that securing their networks will block attacks against vulnerabilities in their applications. Joseph Feiman, from the Gartner Group, a leading information technology research and advisory company, writes:
“Application developers and their superiors in IT departments too often mistakenly believe that firewalls, intrusion detection systems (IDSs), identity access management (IAM) systems and network traffic encryption are sufficient measures for applications’ security. By doing so, they are confusing application security with network security.”3
Most of the attackers are aware of this and continue to shift their focus to applications. Many well-respected sources have recognized this change, including:
• Gartner, reporting that 75 percent of breaches are caused by security flaws in software.4
• National Institute of Standards and Technology (NIST), reporting that 92 percent of vulnerabilities are in software.5
• The United States Air Force, reporting that the percentage of attacks directed at their applications (versus their networks) grew from 2 percent to 36 percent between 2004
and 2006.6
|
