Protection against "zero-minute" exploits

As many of you will no doubt know, the zero-day attack began as application testers began discovering bugs and vulnerabilities in applications that needed to be patched by the application vendor (e.g. Microsoft). In the past, companies would announce these vulnerabilities in applications prior to issuing a patch -- sometimes going weeks without issuing the appropriate patch. But as hackers grew more knowledgeable and sophisticated about these vulnerabilities, it soon became apparent that this window of opportunity was far too long - systems could be compromised within a day. Thus, the zero-day attack.

For years now, these attacks have continued, leaving application security managers with fewer than 24 hours to respond. In all, it's been a good run. But no longer. The zero-day attack has gone the way of the Dodo, only to be replaced by its stronger, quicker and more sophisticated younger brother -- the zero-minute attack.

Haven't heard of the zero-minute attack? That's because the term hasn't been coined yet. But if you've been following the application security industry over the last several years, you should be well aware of the fact that as these attacks have become faster, more sophisticated and able to target applications more directly than ever before, 24 hours has become much too long a waiting period for patching of discovered application vulnerabilities

Even a single hour can mean the difference between a fully compromised network and complete security. So it has come to be that application vulnerabilities need to be addressed within mere minutes, rendering the term "zero-day" almost completely useless. Worms can propagate throughout the network within minutes or seconds, and botnets can assume the identity of a legitimate user in no time at all. The task, then, for application security managers, is to be able to stop these "zero-minute" attacks proactively, to respond to vulnerabilities with no lapse in ti

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Common mistakes in real-time Java programming Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Web application security testing checklist How to develop secure applications Building security into the SDLC (Software development life cycle) The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' How to prevent HTTP response splitting Browser security a concern for website development Web application security and the PCI DSS PCI DSS compliance: Web application firewalls (WAFs) PCI DSS compliance: The basics Threat modeling Web application security and the PCI DSS The essentials of Web application threat modeling How to implement security in Java EE and Java ME Application security shouldn't involve duct tape, Band-Aids or bubble gum Stop SQL injection attacks on applications How to counter XSS attacks Breaking the same origin barrier of JavaScript Denial of service and Ajax CSRF attack vector with Ajax serialization Application security in 2007: What you need to know

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

me, and to provide protection for their business-critical applications as securely as possible, with no opportunity for the hacker to compromise the system and, eventually, the network.

How can this be done? Ultimately, the job of the application security manager can be accomplished in three simple ways: approach vulnerabilities from both the event perspective and the sequential perspective; approach vulnerabilities from both the client side and the service side; and approach vulnerabilities from both the network level and the application level.

Let's look at the first approach – viewing vulnerabilities from both the event perspective and the sequential perspective. Usually, the approach in monitoring network traffic has been to identify unusual events in the network traffic -- e.g. malicious content being sent from a user's PC -- that may be caused by a botnet or other attack. But in doing this, application security managers can unknowingly ignore other attacks that focus on the sequence of events on the network rather than the event itself. Often, hackers will send attacks that take the form of legitimate network activity, but in an irregular sequence that reveals itself to be malicious traffic. Only in stepping back and taking a bigger-picture view of the network traffic behavior can app security managers respond to the "zero-minute" attack within seconds of the attack's launch.

And yet in doing so, managers should not be so broad-minded as to lose focus on the more specific aspects of their network -- namely, client-side protection. Often, the tendency for managers is to focus only on the services that are running end-user applications, without looking for attacks that are directly affecting and originating from end-user PCs. Knowing this, it's more critical than ever that managers take into account that attacks can be identified on the service level as well as the client level.

But as is always the case for app security managers, the final way to ensure complete, up-to-the-minute application security is to examine vulnerabilities and anomalies from both the application level as well as the network level. The bigger-picture approach is, as stated previously, critical in responding to "Zero-Minute" attacks. Today's more advanced bots have an incredible ability to simulate legitimate users on a network level, often making them difficult to identify from this level. As such, one cannot stress enough the importance of examining all applications being used on the network, from the more mundane apps such as e-mail and messaging, to those that are used less frequently. Examining security at the application level is yet another way to ensure that attacks are stopped the minute they are launched, allowing for full and complete security of the application network.

And therein lies the challenge for application security managers as we head into 2007. Identifying and responding to attacks within 24 hours just isn't good enough any more. But by looking at app security from both the event perspective and the sequential perspective, the client side and the service side, and the network level and the application level, managers will be armed with the knowledge they need to ensure that mission-critical applications can traverse the network free and clear of any unwanted activity.

-----------------------------------
About the author: Amir Peles is chief technical officer at Radware.

Rate this Tip To rate tips, you must be a member of SearchSoftwareQuality.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.