Search

A
A+
A++

Business

Regulatory Resource

Threat Intelligence

Resilient IT

Boardroom Strategies

Threat Intelligence / Strategies

Wide World of Web Applications

By Renee Oricchio

Back in 1999, General Electric's IT department publicly committed itself to a policy that still stands today: all software applications have to go through an internal code review before going live as a Web-based application.

General Electric was ahead of its time; both as an innovator in using Web applications to streamline business and by doing so with a constant eye on security.

Eight years later, most companies have followed suit, turning more to the convenience of everything from Web-based spreadsheets and databases to interfaces with employee benefits and collaborative multimedia projects.

"More than ever, companies are putting a lot of energy into Web applications ... anything that makes business more efficient and saves money is only going to grow," says Andrew Jaquith, senior analyst for the Yankee Group, who believes that the increasing popularity of Web-based solutions will be a "durable trend."

The problem is, unlike GE, organizations aren't always keeping that constant eye on security.

Not only are the cracks starting to show, but hackers are having a field day exploiting them -- as evidenced by recent headlines. Look no further than the attack on UCLA's database of alumni, students, and faculty that compromised the personal information of 800,000 people. Or a recently discovered weakness in Adobe's Acrobat Reader software that means any Web site that hosts PDF files could be used to unwittingly launch an attack.

"It used to be that most hacks were about exploring, poking holes in the software," says Jeff Williams, chairman of Open Web Application Security Project (OWASP), a non-profit group that monitors and combats Web application security issues.
"Over the past year and a half, I've seen a shift. Exploits are now more clearly designed for the intention to steal money."

Today's great online scourge: data harvesting
While money is the primary motivation, experts say data harvesting is the method of choice, whether it's to make a quick windfall in the lucrative business of selling personal information on the black market or hacking directly into customer accounts.

"It's rampant," says the Yankee Group's Jaquith.

While the methods hackers use to illegally harvest data are as vast as the number of pieces of programming code that live on the Web, most popular methods fall into three categories:

Snooping or eavesdropping When hackers gain access to company data, they typically use software such as keyloggers to capture keystrokes, logins, and passwords. This compromises the security of company and customer data.
Unauthorized access Unsanctioned access to data is frequently illegal. In terms of the law, it's another form of trespassing.
User impersonation Hackers pretend they are authorized users to gain access. In addition to accessing company systems, hackers may also "trick" other computers within the network to provide information that can be further exploited.

What can an IT manager do to safeguard applications online?
The first line of defense is having the right line of defense. Meaning: choose staff carefully.

"The application is the easiest way in, as opposed to the network," says Paul Stamp, senior analyst, Forrester Research. "Most security people come from the network or OS discipline. Applications are very business specific. Using the same security methodologies in protecting applications as networks just doesn't work."

Williams from OWASP concurs, advising CIOs to have at least one or two key security people with a background in software development and testing.

With the right person or team in place, the next step is formulating the right set of guidelines for security checks.

"This is a good opportunity to steal some good ideas," says Jaquith, who recommends the PCI guidelines from the PCI Security Standards Council, the independent body that governs security standards for the payments industry. "They're not law and are actually designed for account data protection used primarily by banks and credit card companies, but the security guidelines are so thorough and universal, it's helpful for anyone developing Web applications. Everyone uses them."

Those guidelines include:

Quarterly Scans This is a good place to start, but not a silver bullet by any means. "At the application layer, scanning is effective only 20% of the time. Think of it as a double check," says Williams.
Annual Code Reviews PCI recommends code reviews at least once a year. Other experts recommend as often as twice a year and certainly every time the software is updated as well.
Application Firewalls This is in addition to the network firewall. Jaquith recommends a variety of industry leaders but adds that these products are dovetailing into the application assurance platform market. AAPs include not only application firewalls, but database auditing and encryption, along with application traffic management features.

The last piece of advice may be the most critical: stay current. New threats arise every day and organizations need to develop new strategies to safeguard against those threats.

Renee Oricchio is a freelance writer in Norwalk, Conn. For the past 20 years, she has been writing and producing news segments about technology and business for CNN, MSNBC, Ziff-Davis, CNet and a variety of Silicon Valley-based local news outlets.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
	Spam and Viruses
	Preparedness
	Strategies