|
|
|
The Increasing Problem of Web Application Security VULNERABILITIES
Regulation There is an increasing tide of regulation regarding the protection of confidential data. Sarbanes-Oxley mandates security for financial transactions. Gramm-Leach-Bliley mandates safeguards for consumer financial information. CA SB1386 - requires notification of data loss in California; failure to do so can result in criminal prosecution. More than 20 states are considering similar regulation. The FDIC has ruled that banks must inform customers of data loss.
Fines Visa and MasterCard are imposing significant fines on companies that lose customer data.
Reputation Large corporations spend tens of millions of dollars to enhance the value of their brands. The public fascination with news stories about identity theft has resulted in an avalanche of damaging stories every time there is an incident. A Google search of “Ralph Lauren” “Identity Theft,” for example yields 12,500 results.
Hackers are becoming increasingly aware of the opportunities to steal customer data. According to Robert Richardson, CSI's editorial director “The crooks are shifting their focus [to stealing the personal information of individuals], that's where the money is.” The Computer Crime and Security survey, conducted by the Computer Security Institute and the FBI, found that 95% of respondents had experienced more than 10 Web-site incidents during 2004, up from 5% in 2003.
A RATIONAL BUSINESS RESPONSE
Enterprises are naturally struggling to deal with the tens of thousands of security vulnerabilities created in the rush to migrate most database access to web applications. Based on our work on the problem, we would group a rational plan into four categories:
- Understand the scope of the problem. Enterprises need to have a coherent plan to understand the scope of the problem. This goes way beyond creating lengthy lists of vulnerabilities. They must understand what their web applications do, how critical they are to business processes, what they protect and how vulnerable they are to emerging threats in addition to known exploits.
- Create a plan to fix the problem. Using the information accumulated in step 1, security teams must create a realistic plan to remediate the vulnerabilities that have been discovered. These vulnerabilities were created over the course of a decade, they will not be fixed in six months. Enterprises need to prioritize remediation based on the information collected in step one. They must have the ability to assign vulnerabilities to the application developers responsible for the code in a coherent, summary fashion to avoid repetition of work. The tools they use to find the vulnerabilities must have the ability to consolidate vulnerabilities by both common causes and the personnel responsible for fixing them.
- Start eliminating the vulnerabilities. Security teams need to assign vulnerability remediation to developers. Their instructions must clearly identify the vulnerability, how to replicate it and give instructions on how to fix it. Security teams also need to consolidate multiple vulnerabilities by their root cause to avoid duplicative work. Security teams must then retest and confirm that the vulnerabilities have been remediated.
- Learn from your mistakes. Web application vulnerabilities are not like network vulnerabilities. They are generally not the result of a vendor error that can be fixed with a patch. Web application vulnerabilities are the result of unique omissions in the creation of custom web applications. Security teams must work with developers to make security planning a part of application architecture and planning. It is an established fact that it is an order of magnitude less expensive to fix security problems in the application development phase, before they start, then to discover them and try to remediate them after the application is in production.
|
|
HOW WE CAN HELP
NTO has designed NTOSpider to provide the information needed in each phase of your enterprise’s application security program.
- Information that helps you discover, categorize and prioritize vulnerabilities.
- Reporting of consolidated vulnerabilities by their root cause, allowing developers to fix hundreds or thousands of vulnerabilities with a change to one section of code.
- Clear descriptions of vulnerabilities with the ability to validate them in real time from the report where they are listed.
- A Threat Assessment Module (including our Resource Maps) that allows security teams and developers to see how a site is architected and learn how to design intrinsically more secure applications.
|
|
NTO also offers training from the top experts in the field; our professional services division helps your enterprise create plans and processes to make sure that your efforts comply with best practices and efficiently use resources to achieve your business goals.
|
|
