Application security in 2007: What you need to know

Amir Peles

This past year was a fascinating year for the application security industry. The hacker community continued to devise new and more sophisticated ways to compromise end-user applications, and security managers continued to struggle with strategies that might prove successful in warding off these application attacks. The ever-present zero-day attack moved aggressively to the forefront of application security concerns as hackers targeted previously unreported vulnerabilities in popular applications such as Microsoft Word, Internet Explorer and Mozilla's Firefox.

At the same time, vendors of those products scrambled to patch these vulnerabilities before the applications and, consequently, the systems that were running them, were compromised. Atop it all, Microsoft's Vista, to be released in January 2007, loomed like a shadow over the IT industry, poised to usher in a whole new host of security issues, for good or ill.

But now that security managers have successfully survived 2006, it's time to look towards 2007 and determine the key trends that will demand application security managers' attention in the coming 12 months. The coming year will see, among other things, the aforementioned introduction of MS Vista, a continuing increase in sophistication among the hacker community (and, as a result, more sophisticated attacks). And, as usual, we will see a wave of security products and services from leading vendors, all more likely than not to tout complete, impenetrable security for all application networks.

[Next year]  will be the year when behavioral analysis will emerge as the weapon of choice for security managers in the fight against application attacks. Amir Peles Chief technical officer, Radware

This leads us to the first trend the application security market will see in 2007: the continued consolidation of vendors providing security technologies that promise to protect against application-level attacks. As evidenced by Juniper Networks' recent partnership with Symantec (which some have speculated may lead to a merger down the line) and IBM's purchase of Internet Security Systems, technology vendors are clearly looking for a best-of-breed approach to more advanced security problems with combined efforts that look to complete the companies' respective security solutions. There is an evident consolidation that points to the need for application providers, network providers and security providers to join forces to design application networks with complete protection and application understanding in mind.

The next trend that application security managers should plan for in the coming year is probably the most critical, as well as the most obvious. This will be the continued trend of the hacker community -- launching attacks that directly target applications, rather than the network and/or services running them. Certainly, hackers will continue launching attacks at the network infrastructure – this is a given – and focusing on exploits that are well known in network hardware from established vendors. But more than this, hackers will continue to construct increasingly intelligent bots that will attempt to manipulate applications by behaving like a legitimate user. This year will see applications and the services needed to sustain them grow more and more complex. As a result, attacks against these applications will consequently become smarter, deadlier and more difficult to detect.

The app sec manager's challenge
The challenge then for the application security manager is to learn these applications inside and out -- to the point where state management is second nature and any suspicious activity pertaining to the application can be identified quickly and without compromise to the application. This has been, and will be, a difficult but necessary problem, as organizations often have hundreds of applications of increasing complexity all running on the network, often simultaneously. As such, tools will need to be much more sophisticated from this level of application understanding and need to be able to detect this suspicious activity on-the-fly as attacks adapt to evade security protocols.

There are two ways in which this can be done. The first is in a deterministic approach, i.e. the manual identification of suspicious activity through close monitoring of application traffic on the network and reporting of any anomalies. The second, however, will finally see a real emergence in 2007 as more companies realize the counter productivity inherent in the deterministic approach due to the high cost in man hours and enormous amount of time used in sifting through false positives, etc. That is why 2007 will be the year when behavioral analysis will emerge as the weapon of choice for security managers in the fight against application attacks.

Application security exploits and countermeasures Top Web application threats for 2007  Five application security threats and how to prevent them Top 10 App Security Strategies tips of 2006

I've spoken about behavioral-based analysis in this space previously, so there's no need to rehash the technology. But while the technology was first introduced in early 2006, 2007 will be the year when it becomes the standard in intrusion prevention. This will allow network security managers to focus their sights on the application attacks that can compromise entire application networks, rather than those that are harmless and merely take up valuable time. Thanks to the emergence of behavioral analysis, security managers will now be able to quantifiably gauge the return on their investment in security technology and calculate it via the time saved in no longer sifting through false positives and manually detecting the danger presented by each individual application attack.

Perhaps most important, behavioral intrusion prevention technology will allow security managers to upgrade their application networks based purely on the operational needs of their applications, rather than overloading them with redundant, bandwidth-hogging devices that don't serve the applications. This should be the goal for all security managers in 2007 – providing end-users with quick access to applications, while keeping these applications as secure as possible from malicious, business-crippling attacks.

-----------------------------------
About the author: Amir Peles is chief technical officer at Radware.

Rate this Tip To rate tips, you must be a member of SearchSoftwareQuality.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Application Security Strategies Getting started with Web application misuse cases The essentials of Web application threat modeling How to prevent XPath injection Web application hacking: Inside the mind of an attacker How to define the scope of functional security testing Cracking passwords the Web application way Involve the security team in software security testing How to get developers to buy into software security Eight reasons to do source code analysis on your Web application What to do after penetration testing: source code analysis Threat modeling The essentials of Web application threat modeling How to implement security in Java EE and Java ME Application security shouldn't involve duct tape, Band-Aids or bubble gum Stop SQL injection attacks on applications How to counter XSS attacks Breaking the same origin barrier of JavaScript Protection against "zero-minute" exploits Denial of service and Ajax CSRF attack vector with Ajax serialization Top Web application security threats for 2007 Building security into the SDLC (Software development life cycle) Application security enters uncharted regions How to prevent XPath injection Developers get bigger role in software quality, security InfoSecurity 2008 Threat Analysis, Chapter 4: XSS Theory How to prevent anti-DNS pinning attacks Java application security features and measures Microsoft's Michael Howard: Security must be a part of every application How to get developers to buy into software security Password recovery with .NET 2.O using C# How to address security during requirements gathering RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.