Ground up

As the volume of web-facing applications continues to swell, many companies are starting to ask questions of the security procedures currently in place. Adrian Bridgwater examines the approaches available to regional enterprises.
Ground up
By Adrian Bridgwater
Tue 06 May 2008 04:00 AM

As the volume of web-facing applications continues to swell, many companies are starting to ask questions of the security procedures currently in place. Adrian Bridgwater examines the approaches available to regional enterprises.

Back in the 1960s defending applications wasn't much of a concern, but then neither was widespread usage of computing. It wasn't until the 1970s that the first hint of malicious technology reared its head in the shape of the ‘Creeper' virus on what is regarded as the forerunner of the internet, a system known as ARPANET.

Fast-forward to the 80s and 90s and we all know the story. Anti-virus manufacturers played a constant catch up game with hobbyist so-called ‘script kiddies' doing it for fun - and more professional organised operations that would eventually evolve into the credit card scams and ‘phishing' that we are all familiar with today.

The functionality of web-facing applications means that there is a multiplicity of new channels open to potential crooks and wrongdoers.

A new world of worry

In 2008, it's not just the security of our data and the ‘robustness' of our applications in the face of viral attacks that is a concern. The functionality of web-facing applications means that there is a multiplicity of new channels open to potential crooks and wrongdoers.

Couple this with the fact that many of the applications themselves now reside on the internet itself as ‘rich' web applications and it becomes evident that a significant security refresh may be called for.

Software code reviews and web application firewalls (WAF) have, until now, been widely regarded as relatively thorough security provisioning for web-facing enterprise applications.

But the internet now plays a more fundamental and more embedded element in the very fabric of modern businesses - in the Middle East as elsewhere.

As such, the way companies expose corporate data on the internet should be treated with as much care as the way they password protect the employee payroll register. Right now, the door to the corporate data bank is wide open, until somebody shuts it.

Enterprises deploying web applications cannot rely on code being secure. This is down to a mix of reasons, but primarily it's probably a general lack of knowledge of comprehensive, application-level attack techniques paired with the reality that secure coding is complex, time-consuming and hence expensive," says Nigel Ashworth, technical director for the Middle East and Africa at F5 Networks.

Developers concentrate on the first priority - the application must be able to perform the task it was designed to do. This boils down to one thing - the enterprise is vulnerable.

Re-engineering is one option but that can add several months or a year onto a planned roll-out schedule as well as the additional cost involved in the process," Ashworth adds.

Companies like F5 are fond of extolling the virtues of the web application firewall to address these difficulties and achieve things like PCI (payment card industry) compliance.

Requirement 6.6 of the PCI Data Security Standard states that it must be ensured that all web-facing applications are protected against known attacks by applying either code review on custom applications by an organisation that specialises in application security or by installing an application layer firewall in front of web-facing applications.

"The PCI requirements have already had an impact on security awareness in the Middle East and will continue to so in the future. I do not see an environment that is free of vulnerabilities as we are facing very complex systems here that are always prone to contain flaws.

We will see an increase in Arabian enterprises deploying both web application firewalls and traditional network firewalls.

But for code reviews, I am more pessimistic as this is a difficult and expensive task for existing and complex applications, so I believe that many organisations will try to defer taking quick action here," said Klaus Gheri, CTO and co-founder of Phion.

People and process problems

"Being aware of the people and process' elements of security means just as much as any investment in technology. Having the right application and security technology in place will not prevent an attack being successful.

Hackers will always try to target the point of least resistance, so without proper training this can often be the company's employees," says Steve Kirrage, senior vice president, Postilion Middle East.

US-headquartered software company Postilion recently opened an office in Dubai Internet City and has been working with companies across the Middle East to address web-driven security concerns."It is important that chief technology officers within Arab businesses enforce strict policies for password management, role-based access control, secure audit logging and authentication for applications.

Security is only as good as the weakest link and Middle Eastern businesses today must ensure all relevant third party organisations and support operations are included within their security plans," adds Kirrage.

In practice, companies everywhere including the Middle East often make the mistake of deploying the wrong security products for the job in hand. They rely on vendor promises that give the perception of a solid security solution, which in fact may not be web-aware enough.

As Middle East-based enterprises start to recognise web application security-related concerns to a greater degree, there are signs that the tide is turning and corporate action is being taken to address the problems.

Since it is very difficult to tune the application firewall to secure 100% of the applications' processes, companies end up only looking for known vulnerabilities and not validating requests specific to their web-applications.

Another common mistake is having security measures that protect the front-end only (the web application) without having enough back-end security to protect the databases where the really valuable information is stored.

According to Fortinet, a company that has been active in the Middle East for some time now, the most common mistake enterprises make is related to configuration.

More often than not, enterprises tend to use default settings during deployment rather than spending time configuring the devices/solutions to their specific network environments. This is mostly because products are becoming more complex and need technical support and know-how to deploy.

"Software code reviews can help to a certain degree, but cannot be expected to solve the problem like some kind of technology cure-all. As software code becomes more and more complex it will always have bugs even after a very thorough review.

Application firewalls can usually stop known threats and vulnerabilities.

Unfortunately hackers always find new ones and there is always a window of vulnerability until the application firewall is updated to detect new threats," according to Shimon Gruper, vice president of eSafe technologies for Aladdin Knowledge Systems Middle East.

Worse with web 2.0

The situation for web application security has the potential to become even more problematic as the scope of the internet widens to incorporate web 2.0 applications that draw data from disparate sources to form one new ‘service' delivered via a single website or portal.

Sites such as the iGoogle personalised home page service bring in ‘widgets' from a variety of sources to form one composite page alongside a user's Googlemail inbox.

Although this is not typically an enterprise level e-mail solution, the company's Googlemaps service is often used to show office locations or allow employees to research business trips. So its presence inside the corporate firewall is not uncommon.

"As web 2.0 applications and services become increasingly popular right across the Middle East, organisations need to identify potential security gaps and move quickly to offer the right guidelines, solutions and best practices.

Employees will continue to seek out access to these consumer applications so businesses need to be able to provide secure access to the more useful tools," says David Lavenda, vice president of marketing and product strategy, for web 2.0 security specialist WorkLight.

Recent comments on the state of web application security have appeared in reports by data security company Protegrity. The company sees the region as typical of other nations with rapidly developing economies and says that the Arab world has its own share of both hackers and security sitting targets.

Attackers like web applications because these applications have built-in exposed mechanisms. The attacker thinks, ‘why compromise an entire system when you can manipulate the application into releasing the data that you're looking for?

Most protection is at the network, not application layer, so the chances of getting caught are much lower.

Application attacks are much harder to catch and prevent at the network layer, because the network components don't understand the application, its logic, or which resources should be accessed and by which user roles.

According to Protegrity, it is therefore incumbent on regional organisations to understand the attackable surface area represented by web applications, particularly those that store and process confidential personal or payment card data.

"There are a lot of companies throughout the Middle East who are actively concerned with the security of their web applications. They know as we do that these applications provide the greatest security risk to their business," says Mike Yaffe, director of marketing at Core Security Technologies. Is it getting better?

As Middle East-based enterprises start to recognise web application security-related concerns to a greater degree, there are signs that the tide is turning and corporate action is being taken to address the problems.

We have noticed that CIOs and network managers, especially in high-end enterprises like banks that run critical web-facing applications, are no longer satisfied with just deploying a solution and sitting back.

They know they need to continue to monitor their security needs on an ongoing basis," said Kalle Bjorn, technical manager for Fortinet.

This generally upbeat view is echoed by Guru Prasad, GM for networking at FVC. "It's important for companies here to conduct regular vulnerability analysis and testing to make end-users aware of the risks of putting their applications on the web without layer-7 firewalls.

Eventually all the organisations dealing in the credit card industry will have to comply with the PCI DSS regulations and will have to deploy technologies like web application firewalls and controllers to achieve compliance.

The banking and financial industry in the Middle East is quickly moving in this direction.

DNA re-engineering

It seems that a foundation level re-engineering will be needed for web facing applications of all varieties to exist without bringing in their inherently unstable concerns over access to the corporate datacentre.

Rob Rachwald, product development director for Fortify Software summed this point up, "Code reviews and WAFs are effective technologies, but the real factor behind successful security strategies is an executive drive for application security.

If executive pressure changes corporate DNA enough to build security into every process, then static analysis and WAFs will have a stronger chance of success towards a goal of business software assurance," he said.

We know that DNA re-engineering is hugely complex in any environment - be it in humans or computer networks - but recognising that this is the measure of the change that may be needed is the first step.

Next, we need to find affirmation of this need - and it appears from what we have looked at here that the industry is behind these concepts, within the IT function of the business at least.

To complete the circle, we need management buy-in at the boardroom level. Of course, how quickly that will happen is another discussion altogether.

Top tips for application securityStart on day zero:Make security provisioning part of your initial system planning procedures during the ‘requirements gathering' process. That way, secure elements are ‘baked in' before you even start to roll out your system.

Check the basics:Buy into anti-virus protection and web application firewalls at the very least to form your foundation level security.

Go with the flow:Stay flexible and be prepared for new types of threats and new types of attacks at all times.

Think outside the box:Spend some money on analyst reports, white papers and do your own research into security trends. A lot of new and emerging threats are often discussed on industry discussion boards, technical blogs and ‘techie' social networking sites such as Twitter.

Think inside the box:Remember, disgruntled employees inside the organisation who have easy access to passwords and the corporate datacentre may harbour some of your greatest threats.

Don't believe the hype:While advocates of rich internet applications and web 2.0 technologies may be some of the biggest names in the industry, just because Adobe and Microsoft say it's safe, does not mean it is; this is a new and unproven area.

The bottle is half empty:Stay sceptical, trust nobody, suspect everybody, check everything and then check it again.

Remember Andy Grove:Long time chief executive at Intel Andy Grove managed to steer the company around what he called ‘strategic inflexion points' in the industry and described the process in his book. It's worth remembering the title - Only The Paranoid Survive.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.