In my work as a security engineer, I’m often asked which is more important: network security or application security. My answer is they’re both critical. In a previous tip, I describe network security and the key areas that must be secured. In this second tip, I follow up by demonstrating why application security is also a critical component in your overall security. You’ll learn the basics of application security such as encryption and attacks such as cross-site scripting so that you’ll be better able to keep your applications available and secure.
The goals of application security
Network security is considered the traditional element of modern information security, because most security breaches started out at the network layer. To illustrate networking and application security, consider a private home with high-value targets. In my network security tip, I discussed how the physical security surrounding the house is similar to network security protecting the access to a Web application. All of the security within the house is equivalent to Web application security. The homeowner hopes no criminal makes it past the security on the grounds, but in case they do, the home itself is also well secured.
The goals of application security are to protect the:
- Confidentiality of data within the application
- Availability of the application
- Integrity of data within the application
Securing the confidentiality of data in an application is paramount in our world today. Hacking has developed from a pastime with bragging rights to a serious, high-money business with innocent users as the victims. Governments all over the world have enacted regulation regarding the security of personal information (often referred to as privacy), with significant civil and criminal penalties behind the regulation. No software provider can afford to ignore the importance of protecting data. Data confidentiality is protected when 1) data cannot be read “off the wire” during transit, and 2) data cannot be stolen while at rest.
Encryption in transit and at rest
A key tool in securing data confidentiality is encryption. We’re all familiar with SSL/TLS encryption algorithms, which protect our shopping experience at amazon.com, for instance. Many are also familiar with AES and 3DES encryption for data at rest. These technologies are applied to ensure a malicious user can’t eavesdrop or snoop around and pick up data. Think of it as a locked briefcase -- safe while in transit, safe while at rest.
Script injection and cross-site scripting
Where many companies are caught asleep however is securing access to data from within the application. By definition and by design, and application must be able to decrypt data while in transit or at rest. A malicious user seeks to capture that data via the application, by manipulating an application in such a way as to gain access to data he or she otherwise shouldn’t access. The most common attacks today take the form of cross-site scripting or script injection, where the hacker instructs the software application (whether running on the server or on the client browser) to disclose data to a destination specified by the hacker. No amount of network security or encryption can prevent this from happening -- the solution is to build robust, secure Web applications.
The majority of application security press today focuses on data confidentiality, but application availability is also important. Consider, for example, a hydro-electric power generating station at a dam. Imagine what might happen if the dam’s control application were to suddenly be “unavailable.” At best, power could be interrupted. At worst, the dam could release torrents of water and threaten downstream inhabitants. Availability is defined as an application in a ready state, able to process inbound and outbound transactions. Availability is where the security professional bridges into good engineering principles. Is the application robust enough to handle unexpected data such as large numbers or text when integers are expected? Can the application handle rapid, continuous interrupted requests without going down? Does the application scale when valid input increases in frequency? By interrupting application availability, a hacker can achieve numerous goals such as denying users the application’s functionality or denying the company revenues generated by the application. The security professional must work closely with application developers and testers to ensure it’s been properly designed and built.
An avid motorcyclist who ordered a high-performance exhaust system and ended up with a pink leather seat could understand through sad experience the value of data integrity. This is defined as preserving the data within the system such that the outcome is what’s expected. If I order item #MVS014298, that’s the item I expect to receive. If I earn $49,500 in a year, my company expects to pay me $4125 per month. A hacker aims to disrupt business operations by changing the value of data within a system -- sometimes to disrupt the company and tarnish its reputation, and sometimes to skim money from the company in a series of small transactions. For instance, a hacker may be able to modify another user’s order in the database, thereby delivering a pink leather seat rather than a high-performance exhaust system. A malicious user might hack an HR database and modify their annual salary to include a few hundred extra dollars -- for instance, modifying a $4125 monthly salary to $4521. By ensuring data is secure and cannot be affected by outside influences during processing, the security professional helps the company lower the risk of data integrity attacks.
With the formation of the OWASP project (Open Web Application Security Project), Web application security has become more easily understood. Security engineers are able to develop the skills they need to protect the confidentiality, integrity and availability of systems. As threats grow more complex, security professionals are keeping up. We’re changing (and in some cases formalizing) our proactive security validation efforts and creating more secure systems. As demonstrated in my other tip on network security, application security in and of itself is not enough to protect a system. Together the two disciplines can reduce risk and increase confident in a company’s ability to deliver services online, in spite of a threat-filled environment.