Font Size

- Aa +

Sun 1 Apr 2007 12:21 PM

Font Size

- Aa +

Layer lockdown

Application security is a serious business - and a significant task for enterprises. In the second appsec feature, NME looks at some of the critical aspects around ensuring the whole application layer is secure.

The application layer - not the traditional abode of many network professionals. Database administrators and other software specialists are the normal inhabitants of this realm within the IT infrastructure - but at what potential cost?

Last month

focused on the issues around patching individual applications (or not, as the case may be), as well as preventing any intruders getting past the network security systems.

But this is only half the problem - beyond making sure any individual apps are as up-to-date as possible, and screened behind access control systems and firewalls on the network, comes the management of the application layer overall.

Many large organisations put all their weight behind creating a robust and secure network, but fail to address even the most basic elements of application security, according to Abdul Karim Riyaz, regional director for storage and protection for CA's EMEA eastern markets.

"Some of the common mistakes we see are deploying applications and underlying databases with the default passwords in place - I know it's probably one of the easiest and simplest things to look at, but we've seen even large corporations running their systems on default passwords," says Riyaz. "As a hacker, all I'd need to do is get into the network, then with the default user name and password I'm inside the system."

Riyaz's answer to how to tackle this problem is fairly straight-forward: "It comes back to asking the question - have organisations done a complete security audit? It's not an exercise where they need to reinvent the wheel - there are standard procedures for each application and operating system, to look at the baseline security for each platform.

"All organisations have to do is compare the security they've deployed on each application, each operating system, each server, each layer - compare it to the baseline and ensure that at least they have achieved the baseline," he explains.

One of the key questions is where should responsibility lie on this issue - with application vendors who make it easy to leave default passwords and the like, or with the organisations which deploy the applications? Riyaz believes that although both parties are responsible, ultimately the onus comes down to the end user organisation - it needs to take responsibility for its own apps.

This issue is further complicated for enterprises which have older application foundations, with specific apps that may not be able to cope with some of the more recent security requirements. At the most extreme end, it may come down to a choice of dumping the software, or leaving a potential security hole in the application layer.

Elsewhere in the world, especially the US, these decisions are to a large extent being taken out of companies' hands - compliance legislation such as the Sarbanes-Oxley Act (Sox) mandate rigorous auditing processes of internal controls and reporting mechanisms. Suddenly insecure applications may be criminal, not just problematic.

As yet, such stringent compliance legislation has not affected the majority of the Middle East, with the exception of divisions of global companies operating here. But there are moves towards corporate compliance, with bodies such as Hawkamah in the UAE pushing this agenda.

And moves in the US and Europe to make firms more accountable may mean that Middle Eastern companies wanting to do business with organisations elsewhere in the world may have to prove some form of corporate compliance.

Happily, while US and European companies may be press-ganged into tightening up their infrastructures, this new focus on application security means there are more options than ever before for organisations which choose to tackle application security issues. Not least among these will be the app vendors themselves, but a large number of third-party tools and solutions have sprung up.

One of these is the proliferation of code review systems, designed to go through application source code and help pinpoint possible security risks. One of the key areas in a code review will look at access - not only access to individuals, but also to other applications within the enterprise.

"Organisations must implement a strong technique for identifying users, map identified users to data, and ensure users can only touch the data they should be allowed to access," explains Ryan Berg, co-founder and chief scientist at security firm Ounce Labs, in a recent white paper. "The related vulnerability, then, is when an application grants greater than necessary rights, to either a user or an application. For any application handling sensitive data, ensure the principle of least privilege reigns: grant only the minimum level of access needed for a user or application to function."

A key focus for much of the work around application security is being done, unsurprisingly, on web applications. Often extensions of core enterprise apps, web-based systems offer an unprecedented opportunity for hackers to ply their trade with the minimum of difficulty - a likely factor behind the reluctance of many Middle Eastern banks to offer internet banking services.

"Although controls such as network firewalls are essential, they're wholly insufficient for providing overall Web application security. They provide security for underlying hosts and a means of communication, but do little to aid the application in resisting attack against its software implementation or design," comment Elizabeth A. Nichols of ClearPoint Metrics, and Gunnar Peterson of the Arctec Group, in the March issue of the IEEE Security & Privacy Journal.

"Enterprises must therefore focus on the security of the Web application itself. But in doing so, questions immediately arise: ‘What could go wrong with my software? How vulnerable are my existing applications to the most common problems? What changes to my software development life cycle might affect these vulnerabilities?'" they continue.

For organisations which may never have had to face these issues before, approaching this problem in a rigorous fashion is likely to present significant challenges. Nichols and Peterson detail a number of key metrics which are important to consider, part of the Open Web Application Security Project (OWASP), which is designed to help developers and enterprises ensure their web applications are secure.

For organisations which store sensitive data, especially customer data - in other words, the vast majority of organisations - ensuring application security is not just a matter of protecting internal data. Many of the recent data scandals in the US have seen hundreds of thousands of names, along with personal details, make their way into the public domain. This is more than just a PR disaster - the potential for identity theft is enormous, and the organisation which allowed the data to go astray could be liable for serious amounts in damages.

The Middle East is not yet at the forefront of the application security battleground - regional organisations have a breathing space. Smart enterprises will be able to use this to ensure that, as and when the threat becomes reality, their application layers are very firmly locked down.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.