Come Join the Discussion

Add your comments to any of these postings or comments

Monday, February 20, 2012

A Strategic Approach to Vulnerabilities at the Application Layer

Most organizations spend large amounts of time and money to protect their networks and infrastructure from attacks and threats. But, no matter how good a defense may be, it usually falls short in addressing security vulnerabilities inside the network at the application layer.

A number of research findings indicate that organizations' applications are one of the highest-risk areas and where the most damage can be done. As example, look at the amount of confidential and personal information that is stolen each year.

In sharp contrast with ISO/IEC 9126 - Software Quality Standard, all current software development methodologies (agile, waterfall, MSF, and others) hardly mention the word security. In fact, the use of these methodologies has not resulted in a measurable reduction of security related defects, which is evident by the fact that CERT tracking of security attacks continue to grow.

With exceptions, most companies' applications can be targeted, from the outside and from within, with a multitude of attack methodologies, including SQL injection, Cross Site Scripting (XSS) and Cross Site request Forgery (CSRF) vulnerabilities, which can be used to perpetrate various scams, purportedly compromising vast amounts of sensitive and personal information.

Companies need to embark on a "Security Development Lifecycle" (SDL) for all custom application development. One of the needs to support this type of methodology and fulfill this security process is an application security management solution that can test, correlate and manage application security vulnerabilities. The first component is a static scanner that is used with application development that scans source code, alerting development management and developers of security problems within that code as it's being developed. The second component is a dynamic scanner that scans newly developed applications in a staging environment, as well as applications currently in production, to detect security vulnerabilities so they can be quickly addressed by Application Development or, in the case of COTS applications, by the vendor. The third component is an application vulnerability correlation and management application that correlates information gathered by static and dynamic application scanners, network scanners, eliminates false positives and duplicates, and allows escalation of issues to the responsible team based on the vulnerability found (application development or sys admin).

A full and thoughtful approach is necessary to ensure protection of companies' most important assets, their information.

No comments: