|
|
|
|
|
Application Security is the Trend of the Future
By
M. L. Sridhar
Bangalore, Aug 21, 2008 1812 hrs IST
The need for security began with desktop computing, when the only means of compromising data was by inserting a contaminated floppy disk into a PC. That was the anti-virus era. The need for security evolved with the Internet as more companies developed internal and external networks. That was the network security era. Now as companies leverage the power of the web, information security has evolved yet again: We are in the application security era.
Web applications can take many forms -- an informational website, an e-commerce site, an extranet, an intranet, an exchange, a search engine, a transaction engine, an e-business. All of these applications link to computer systems that contain weaknesses that can pose risks to your organization. Weaknesses exist in system architecture, system configuration, application design, implementation configuration and operations.
The risks include the possibility of incorrect calculations, damaged hardware and software, data accessed by unauthorized users, data theft or loss, misuse of systems and disrupted business operations.
As the digital enterprise embraces the benefits of e-business, the use of web-based technology continues to grow. Most organizations today use the web as a way to manage their customer relationships, enhance their supply chain operations, expand into new markets and deploy new products and services to customers and employees. However, successfully implementing the powerful benefits of web-based technologies cannot be achieved without a consistent approach to web application security.
Everyone gets hacked, from large consumer e-commerce sites and portals, such as Yahoo!, to government agencies, such as the National Aeronautics and Space Administration (NASA) and the Central Intelligence Agency (CIA). In the past, the majority of security breaches occurred at the network layer of enterprise systems. Today, however, hackers are manipulating web applications inside the enterprise firewall, enabling them to access and sabotage corporate and customer data. Given even a tiny vulnerability in a company's web application code, an experienced intruder with only a web browser and a little determination can break into most commercial websites.
The problem is much greater than industry watchdogs realize. Many businesses do not monitor online activities at the web-application level. This lack of security permits attempted attacks to go unnoticed. It puts organizations into a reactive security posture, where nothing gets fixed until after a situation occurs. Reactive security can mean sacrificing sensitive data as a catalyst for policy change.
Why aren't web environments secure?
As more organizations take advantage of the Internet, they discover that the web is not only a new market or distribution channel but also a new operating environment. In this new environment, conventional security measures are outdated and frequently ineffective.
A new level of security breach is occurring through continuously open Internet ports (port 80 for general web traffic and port 443 for encrypted traffic). Because these ports are open to all incoming Internet traffic from the outside, they are gateways through which hackers access secure files and proprietary corporate and customer data. While you may read about rogue hackers in the news, the more likely threat is in the form of online theft, terrorism and espionage.
Hackers are one step ahead of the enterprise
While organizations rush to develop security policies and implement basic security capabilities, professional hackers continue to find new ways to attack. Most hackers use 'out-of-the-box' security holes to gain escalated privileges or execute commands on a company's server. Simple misconfigurations of off-the-shelf web applications can leave gaping security vulnerabilities in an unsuspecting company's website.
It's not a question of whether your site will be attacked, but when it is...
Attacks on web-connected servers have become more common. For example, attackers stole credit card numbers from the Western Union website, and a computer hacker broke into a Walt Disney Company computer, stealing sensitive guest information. There is also resulting brand deterioration, which Ford experienced when its website was defaced. In each of these highly publicized incidents, attackers used security holes in web-based computer applications to access and steal proprietary data and sensitive information or to make changes to a corporate system. Thus,
1) Passwords are not enough.
2) SSL and data encryption are not enough.
3) Firewalls are not enough.
4) Standard scanning programs are not enough.
5) A chain is only as strong as its weakest link.
It's in the code:
1) Manipulating a web application is simple.
2) A firewall, an intrusion detection system (IDS), cryptography and access control are not enough.
How do you protect your site?
The dynamic nature of the web is most apparent in the area of security. New software and standards for the web are constantly being introduced. Each innovation introduces a potential weakness that hackers can exploit to compromise your network's integrity. In the rush to bring new software products to market, few companies test the security of their products, yet users rely on these products to conduct business every day.
The cost of poor application security can be far greater than most organizations imagine. Not only do you risk your brand and customer data, but common denial of service attacks can prevent you from conducting business.
Even with the best conventional security systems available today, you are likely to be vulnerable to web-based application hacking.
What do you need to do?
Your developers and security professionals must be able to detect holes in both standard and proprietary applications. They can evaluate the severity of the security holes and propose prioritized solutions, protecting existing applications and implementing new software quickly. A typical process involves evaluating all applications on web-connected devices and examining each line of application logic for existing and potential security vulnerabilities.
Unfortunately, most security products cannot adequately examine the applications residing on your web servers, yet these applications often provide back-end access to confidential data. This means you need to be proactive in protecting your critical web applications.
layer
What does 'HP Software Application Security Center' do?
HP Application Security Center software helps you safeguard your entire network with intuitive, intelligent and accurate processes that dynamically scan standard and proprietary web applications for known and unidentified application vulnerabilities. This provides a new level of protection for your critical business information. With it, you can find and correct vulnerabilities at their source before attackers can exploit them.
Whether you are an application developer, security auditor, QA professional or security consultant, HP Application Security Center provides the capabilities you need for verifying the security of your web applications.
This addresses the complexity of Web 2.0 and new web technologies, such as Ajax, and identifies vulnerabilities that are undetectable by traditional scanners. This tackles today's most complex web application technologies with breakthrough testing innovations, including Simultaneous Crawl and Audit (SCA) and concurrent application scanning, resulting in faster and more accurate automated web application security testing.
*(The author is Marketing Manager, HP Software, India)
Related Links:
HP's Neoview to Integrate BI Services in India
HP Adds to its Data Center Solutions Portfolio
|
Disclaimer |
ITNation
(India) Pvt. Limited and its sites:
www.channeltimes.com, www.techtree.com
and www.cxotoday.com provide
Comments and discussion boards as a professional medium
for the various businesses of the IT industry to discuss
business problems. Gossip, personal attacks and unsubstantiated
charges are prohibited. Messages posted on this Web site
as discussion threads or Comments (Content) are solely the
opinions of their creators and do not necessarily reflect
the opinions of ITNation (India) Pvt. Limited or its sites
www.channeltimes.com, www.techtree.com
and www.cxotoday.com.
All individuals who post material to this web site are solely
responsible for all Content that they upload, post or otherwise
transmit via the Web Site. |
| ITNation
cannot vouch for the authenticity of the user or company
names or e-mail addresses associated with posted messages.
Under no circumstances will ITNation
India Pvt.Ltd. or ChannelTimes
be liable in any way for any Content, including, but not
limited to, for any errors or omissions in any Content,
or for any loss or damage of any kind incurred as a result
of the use of any Content posted or otherwise transmitted
via the Bulletin Boards. |
| ITNation
reserves the exclusive right to edit or remove messages
containing inappropriate language or other material that
could be construed as libelous, potentially libelous, or
otherwise offensive or inappropriate. Discussion forums,
bulletin boards and chat facilities are provided by ITNation
solely for the convenience of those who make use of the
service. ITNation does not endorse the products and services
or other offerings mentioned in messages. |
|
|
|
|
|
