Discover PerformanceHP Software's community for IT leaders // July 2012
Six steps against application attacks
Vulnerabilities at the application layer—not the network perimeter—have become the most popular exploit vector for hackers. Find out how to keep your risk low.
Application exploits are on the rise. The National Institute of Standards and Technology estimates that 92 percent of security breaches are facilitated by unsecured applications.
The U. S. Air Force reports that application hacks have increased from 2 percent to 33 percent of the total number of attempts to break into its systems.
With more hackers targeting applications directly—finding clever ways to launch "insider" attacks—enterprises will never get ahead of the game by addressing security solely as an operational issue. You can secure the network perimeter all you want, but if applications aren't locked down tight, hackers will find a way to get to your sensitive data.
Getting to the root of the problem
While all organizations understand the need to create secure software, the methods they use to identify security vulnerabilities can be haphazard. Popular tactics, such as penetration tests, are not getting the job done.
- Penetration tests only find problems, they can't fix them. Nor can they provide any assurance that all potential problems have been identified.
- Web application firewalls, which are used to block anomalies in traffic patterns, can be disruptive when the irregular patterns they block turn out to be valid traffic.
To secure your company's data, your approach must include an examination of each application's inner workings, as well as the ability to find the exact lines of code that create security vulnerabilities. It then needs to correct those vulnerabilities at the code level. Finally, there must be a comprehensive prevention strategy that fends off future attacks and mitigates current ones.
Such a comprehensive strategy for tackling application risk has the following six steps:
1. Find and assess potential vulnerabilities.
Deploy an asset management system to inventory every application, including versions, upgrades, patches and current configurations. Then examine end-to-end application data flow, identifying the points of interaction with other applications, hardware or data. These are the most likely targets in an attack.
Rank the vulnerabilities on the resulting—and potentially very long—list. Tackle the most serious weakness first, of course.
2. Foster an awareness of risk and the need for remediation.
Key stakeholders must understand the specific areas where insecure applications threaten the business and the potential consequences of failing to mitigate them. Once this is done, CISOs can begin to educate developers how to avoid critical security mistakes in the first place.
3. Create and deploy application security features.
Develop clearly defined requirements to secure each application as well as the application environment as a whole. Make sure that every application—purchased, in-house, outsourced, open source—has features to prevent, detect and correct breaches.
When patching or writing new code, use regression tests to ensure that the new software addresses the root cause as well as the vulnerability.
4. Develop continuous methods to find and assess vulnerabilities.
Use vendor alerts and public vulnerability databases to track emerging application security issues and assess vulnerabilities on an ongoing basis. Scan all new source code for known problems, and scan existing code for newly identified vulnerabilities with each deployment. Keep track of past software vulnerabilities and ensure that the mistakes are not repeated.
In addition, provide developers with reliable procedures to scan code for security bugs before compiling, before deployment and in production.
5. Secure applications throughout the development lifecycle.
A security development lifecycle (SDL) recommends the performance of various security activities throughout the development process. The SDL tracks and enforces compliance with the recommendations.
It's a good idea to incorporate multiple vulnerability detection methods at well-defined control points. An application security testing solution that encompasses both static and dynamic analysis can detect the broadest range of security holes.
Finally, deploy "toll gates"—repeatable, mandatory procedures for finding bugs—to block software from going into production before it has been thoroughly tested.
6. Make application security an integral part of your operations.
You'll need an effective application security strategy that addresses both immediate and systemic risk. Software Security Assurance (SSA) is the operational solution to the problem of software risk, covering all the people, processes and technologies that can affect the quality of software security.
If an internal SSA initiative is beyond your reach, the alternative is to partner with a vendor with deep expertise in both security and development. It can provide a solution to scan for security holes in existing applications, offer strategies to repair them and ensure that code under development is secure at every stage, regardless of the type of application.
To read more about improving the security of your applications, visit the HP Fortify Software Security Center.