Applications are today's corporate treasures -- they represent an organization's intellectual property and competitive...
advantage. It's no surprise, then, that application security is emerging as one of the next major frontiers of security, with a variety of new techniques and tools targeting the software developer as well as the software development life cycle (SDLC).
But according to both vendors and attendees at last week's SecureWorld Expo in Boston, it's not a software problem alone -- education and security awareness throughout organizations are also key.
"The threat environment has changed -- attackers have gone pro," said Ted Julian, vice president of marketing at Application Security Inc. in New York. "There's money to be made turning data in cash, like Social Security numbers. And there's no question organized crime has gotten involved, so there's a more determined attacker. It changes the nature of what they're trying to target. Most Web servers don't have a whole lot of data, but they're connections to the back-end systems with the data."
While most organizations have taken steps to secure their networks, Julian stressed that "important data lives on the system. It's only on the network for fractions of seconds."
Chris Strand, subject matter expert for security solutions at Compuware Corp. of Canada in Richmond Hill, Ontario, agreed. "A lot of risk resides at the application layer," he said.
As a result, the push is on to build security into the entire application life cycle -- something developers have not traditionally been responsible for. "One first reaction from developers is, who cares?" said Roger Thornton, founder and chief technology officer of Fortify Software Inc. in Palo Alto, Calif. "The business risk makes us care. We're so dependent on software [to run the business]."
Thornton, Strand and Julian were all panelists in the session "New Tools and Techniques to Discover Software Security Flaws" at the conference. According to Julian, there are two vulnerability classes in software applications:
- Flaws in the software that create a security condition
Application Security offers a range of products targeted at database security and application vulnerability assessment. The company's vulnerability assessment scanner, AppDetective, locates database applications within the infrastructure and reports and fixes security holes and misconfigurations.
Compuware and Fortify both target application developers. The companies offer tools for finding, tracking and fixing code that has security flaws or vulnerabilities.
"The single most important benefit from looking at code is the code exists before the application," Thornton said. "Once you get more adept at doing code reviews, you can make fixes before you're done. Today, development teams do nothing and fail [penetration] tests."
"Inject the security process into what [the developers] do; they already do code analysis. The potential market is huge," Strand said. "We've taken the security approach and rolled it into the process, building a repeatable process, to carry security across the life cycle."
Making security part of the application life cycle is going to be critical, the panelists stressed, and the earlier in the cycle the better. Thornton recommends introducing application security to the development team at the requirements stage.
Strand recommends bringing security in at the modeling stage and assigning risks and measurables. "Insert the risk of security flaws into best practices," he said. However, it's impossible to eliminate all flaws, so a risk assessment is key. "You can't inundate developers with thousands of violations. You need to filter high-risk areas. Have measurables in best practices first, then use an automated tool to filter the high-risk areas."
SecureWorld attendee George F. Johnson, a staff software engineer at EMC Corp. in Hopkinton, Mass., said organizations should "encourage review of architectural design and do threat analysis at a high level -- what are the assets I'm protecting? We need to train developers to think like security people."
Even with automated tools to make the job easier, it's a mindset change that may not be easy, said Charlie Brooks of Charles L. Brooks Consulting in Belmont, Mass. "I don't think the lines [between developers and security professionals] will ever blur. It's like taking a Mercedes off-road -- they're not built for that," he said.
Organizations can find a balance, though, Thornton said. "Most successful companies have a security lead with the development team," he said. "I believe a security organization can have an overlay in the development organization. It's a balance. There's a certain mindset to be a good security person, and it's critical to pull the developers along."
Today, Strand said Compuware is spending a lot of time educating developers on this topic. "I see a need to educate the community, about how threat analysis and best practices can be inserted into the process. This market is starting to accept this. We're on the edge of something great."
Tools alone won't solve the problem, though. Thornton recommended getting started by "understanding the risk and threats, at least at the same time you're looking at tools. There's a lot of noise out there, a lot of network vendors that are just putting the word 'application' onto their offerings. Get the playing field figured out. Bite off a small piece, maybe with one development ream that's motivated."
Summed up Application Security's Julian: "This will be the most significant wave of the security rollout so far. [Applications] are where the crown jewels are."