Like any large institution, Boston College has had its share of IT hacks and compromises. Fortunately, the school...
has not seen anything specifically through Web applications -- and it wants it to stay that way.
Recognizing that hackers increasingly are targeting Web applications, the school sought out technology that would ensure its applications could withstand an attack.
Founded in 1863 by the Jesuits, Boston College is a coeducational university with an enrollment of 9,000 undergraduates and 4,700 graduate and professional students. The school's computer policy and security organization is responsible for 29,000 registered machines. The group has 50 software developers and runs hundreds of Web-based applications.
"We had gotten the security program to a point of doing a pretty adequate job checking for general vulnerabilities, but the next big thing in the world of being hacked was to get hit in the applications," said David Escalante, director of computer policy and security at BC. "If you need the Web application for the business, you can't just shut down the main Web server."
Escalante's department had started scanning servers, looking for open ports. But the problem was, "you couldn't tell if you were vulnerable," said David Bowie, senior security analyst with the Chestnut Hill, Mass.-based college. Compounding the issue, BC has an open environment, Escalante said, and people around campus can set up Web sites, although students can't run a Web site from their rooms. The school runs Windows and RedHat Web servers, as well as enterprise Linux, AIX, and OS X servers.
The security group began looking for a tool to help find Web application vulnerabilities. "We're a small shop," Bowie said. "We don't have a lot of time. We wanted something all-encompassing that would run on its own, had good templates, and was extensible and configurable as it grew."
"The market for applications that specifically look for vulnerabilities in Web sites is not as mature or filled out [as other markets]," Escalante said. After much research, the group narrowed its choices to AppScan from Watchfire in Waltham, Mass., WebInspect from SPI Dynamics in Atlanta, and Hailstorm from Cenzic Inc. in Santa Clara, Calif. BC ultimately chose Hailstorm.
Hailstorm is an automated penetration testing tool that tests applications for security vulnerabilities, enforcement of internal security policies and regulatory compliance. It includes the SmartAttack Library of attack objects that test for cross-site scripting, buffer overflow, SQL injection, session management, cross-frame scripting, HTTP response splitting, phishing, as well as security flaws in application logic.
Hailstorm uses a technology called Stateful Assessment, which maintains the state of the application during assessment and can track a series of transactions to identify vulnerabilities. Testing is done at run time, which is the same as when hackers attack. The result is a reduction in false positives and negatives, according to the company.
It's all in the details
What sold the BC group on Hailstorm was the visibility it provides. "Hailstorm allowed us to look at the code being used to test the Web site. If we didn't like the way it was testing, we could modify the code. That was probably the deciding factor," Bowie said.
Escalante added, "With Hailstorm, the reports will actually get to level of detail that explains what the application did and what it was concerned about. From the developer's point of view, you would rather get back 'I sent this line and here's what it did' vs. 'you have a buffer overflow.' It's handy to see the test data as opposed to just the results."
The college has been using Hailstorm for about a year, and while the tool hasn't turned up any major vulnerabilities, it has found issues that were given to the developers, and it showed them things they need to deal with that normally wouldn't have been detected, Bowie said.
"This is one more tool to help them understand how they can do a better job," Bowie said. "There are good people in the development team, and they want to do the right thing. They're constrained by tools they have that generate errors; Hailstorm is showing them and they're retooling the tools."
In addition, the tool has helped find vulnerabilities in third-party work, Escalante said. "Occasionally we outsource Web sites," he said, "and that business is a security nightmare. They secure [the application], but they don't tell you how they secure it, so you don't have means of judging if they're doing an adequate job." Now Escalante's group can scan with Hailstorm and turn up issues for the third parties to address.
Although there is a lot of buzz in the industry now about making developers more responsible for security, Escalante said at present the college doesn't plan to have developers use Hailstorm themselves. "I think I have more issues with getting them to check their input/output and following certain coding guidelines. Hailstorm can check if they did that," he said.
However, Escalante added, his group is working on a program for all types of automated scanners. "We're trying to make all the scanners available for developers and system administrators and people interested in doing so. But there are other people who aren't terribly interested and are happy to have others handle the output," he said.
Mandeep Kheara, vice president of marketing at Cenzic, said Hailstorm picks up what organizations are unable to do. "It becomes a resource issue," he said. "Companies barely have enough time for security testing. Developers are just trying to get the product out, so the security group picks it up. And if you don't have the security expertise in house, we can do it for you. Products are part of the whole application security strategy."
Bowie agreed that tools like Hailstorm are no panacea. "We will always be shoveling against the tide in the security world. There will always be buffer overflows being found. There will always be developers that forget to remove the example directory that [a tool like] Hailstorm will find. There will always be test directories left around," he said.
Escalante added that the enormity of the Internet world compounds the issues. "The universe of people who do bad Web code is bigger than the universe in the past. It will get better over time, but not as fast as some other things that have gotten better."