|
Not long ago, Web application security was the least of an IT professional's worries. Times have changed. The combination of improved network defenses, hackers motivated by profit not notoriety, expanded deployment of Web-based business applications, increased value of Web-based ecommerce transactions, availability of critical data using Web technology, and heightened regulatory requirements makes Web application security a top consideration. Enterprises understand the need to improve security in this area and have deployed various security products (including Web application firewalls, Web single sign-on, and encryption) to defend against Web application attacks. However, most solutions deal with the symptoms but don't get to the root cause ? insecurities inherent in Web applications. Enterprises need to look at the application software if they want to vastly improve Web application security. Specifically, enterprises need to utilize software testing that can automatically review applications for security problems. This document examines the market drivers and technology associated with software security code review products and discusses how Cenzic is addressing this urgent need.
"But People Are Supposed to Come In"
The growth and proliferation of the dynamic Web create a conundrum for companies. Web applications are designed to make customers and partners visit and interact with Web sites. They use Web applications to buy products, interact with companies, gather valuable information, and enable many other critical business processes. Use of this technology greatly enhances business opportunities. On the other hand, the openness of Web applications offers attackers an avenue to access critical back-end databases not otherwise reachable from the outside. The threat to Web applications is heightened because attackers are no longer just mischievous; instead, they are motivated by profit. Today's attackers are out to steal something, be it money, corporate secrets, or user data. This changing threat environment raises the stakes and makes Web application security an imperative.
The problem is that although security generally is thought of as something that prohibits, companies need people to visit and interact with their Web sites. This situation makes it more difficult to lock down Web sites. To protect Web-based applications, enterprises are addressing the security symptoms by installing application firewalls, utilizing Web-based authentication and authorization, encryption, and patching commercial software. Like any in-depth defense strategy, these mechanisms are important, but in a Web environment, they don't get to the root of the problem: the dynamic capabilities of Web applications and the basic design and actual implementation of the code.
Given that interactive Web applications are executed based on arbitrary data sent by a user, the danger exists that malicious commands will be directed through scripts. Many Web application attacks are based on a malicious user's ability to pass improper input, such as URL manipulation, session hijacking, cookie poisoning, buffer overflows, SQL injection, forceful browsing, and other methods, which is processed outside the design intentions of the system. Many of these attacks will not be stopped or detected by firewalls or intrusion detection systems.
It's critical that only input in a format the application expects and can process be accepted and executed. As Web applications become more complex and automated, there's a greater probability that the application will have inherent security flaws waiting to be exploited. IT professionals are already aware of this problem. According to IDC's Enterprise Security Surveys from 2004 and 2005, nearly one in five of all respondents reported having been subjected to an exploit through a flaw in a Web application. When only very large enterprises are considered, that number jumps to one in four. This number in all probability is higher because many smaller enterprises either don't like to admit attacks or are not aware that attacks might have taken place.
IDC believes the problem is either that Web applications are rarely developed with security in mind or that security is an aspect that is overlooked because of go-to-market pressures. Even in companies with the best of intentions, application security often suffers because developers don't have strong security training, quality assurance methods may not concentrate on security functionality, and hurried development schedules could reduce the amount of testing performed. One of the weaknesses is the insufficient usage of automated security code vulnerability and testing solutions.
|
