 |
 |
| sss |  |
 |
 |
 |
 |
 |
||
 |
 |
|
|
Case File Company: Siebel Systems,
Inc. Location: San Mateo, CA
(Global Headquarters) Challenge: Building a
continuous application security process across development, QA
and security teams Solution: Deploy NT
OBJECTives’ NTOSpider to multiple teams to test secure
development practices and audit enterprise applications Siebel Systems, one of the largest and most successful application development companies in the world, serves the enterprise business market with CRM, business intelligence and data integration solutions. These mission critical business applications contain tremendous amounts of sensitive information about customers, business processes and proprietary corporate data. The importance of this data has caused Siebel to become an industry leader in the deployment of layered security systems and employee training. “The ultimate road to greater security is to distribute knowledge across the organization instead of centralizing it,” says Chief Security Officer David Mortman. Siebel recently tapped NT OBJECTives to provide its NTOSpider software to do just that. Siebel Systems helps organizations of all sizes optimize their people, processes, and technology around their customers, leading to outstanding customer experiences and superior business results. This results in the centralization of massive quantities of data, much of which is regulated by Federal and State laws. In recent years, Siebel, as have many enterprise software companies, moved away from client applications to interface with their systems to using web applications to interface with their software. “Web applications are critical to Siebel. They allow us to build our software interfaces once for one platform - the web browser,” says Mortman. However, while this consolidates development efforts for a simpler, highly extensible delivery platform, they also introduce a great deal of security-related issues. "Recent years have shown significant growth in the exploitation of Web application vulnerabilities. Increasingly, web applications are connected directly or indirectly to valuable backend data stores, making them critical attack vectors that must be hardened," according to Diana Kelley, an analyst with The Burton Group. While Siebel employs a massive, layered security approach to managing their internal systems, their development process relied on training developers in secure coding practices and using consultants to periodically audit application security. While this provides strong checks and balances, it is intermittent. “We have always strived for a more continuous process that could be employed and audited in-house, year round. This would make the periodic audits more effective by measuring compliance as opposed to spot-checking security status,” adds Mortman. “This is what led us to deploy NTOSpider.” NTOSpider is the most advanced application vulnerability scanner on the market. As a completely automated solution, NTOSpider allowed Siebel to extend security operations beyond security/IT personnel to include application developers and QA staff. “Moving security outside the IT organization requires two critical features: automation and comprehensiveness,” says Neha Desai, Lead Quality Assurance Design Engineer for Siebel. “If employees need to help a vulnerability scanner get through the site, or the scanner can’t look at site technologies like JavaScript, they just aren’t manageable. We run huge amounts of dynamic JavaScript and the bottom line is that other products simply ignored all that content if we didn’t click on those pages manually, and I can’t hire a team of people to click through thousands, or more, of web pages. NTOSpider lets us input the URL and press start; it handles everything else all on its own,” adds Ms. Desai. Siebel also found that the processes for fixing discovered vulnerabilities created significant overhead. The challenge of finding the vulnerable web page, replicating the attack and then tracking down the source code to fix it took inordinate amounts of time and coordination between teams. NTOSpider’s ability to identify the “root causes” of vulnerabilities means that instead of chasing vulnerabilities one at a time, Siebel was able to identify the fundamental flaw in the application logic, so that developers could address the cause not just one of many symptoms of the vulnerability. This allows a single code change to the application to fix dozens or even hundreds of vulnerabilities at a time. “Instead of looking at each and every vulnerability in isolation, NTOSpider lets us see where the problems are coming from and focus our efforts more efficiently. By going straight to the source, or root cause, we are able to turn a single code change into a dozens or even hundreds of remediated vulnerabilities. And the vulnerability ‘Validate’ feature in the NTOSpider reports tells us immediately that the issue is resolved,” says Mortman. Siebel has utilized NT OBJECTives’ NTOSpider to push secure application development across all functions working on Siebel’s enterprise software solutions, including the hosted versions offered as a managed service. “At the end of the day, we know now that we have more eyes and more minds focusing on building secure software. That protects our core business model while allowing us to get things done better and faster,” says Mortman. About NT OBJECTives, Inc. NT OBJECTives, based in Orange County, California, brings together an unprecedented collection of this industry's top experts to offer a comprehensive suite of industry-leading technology and services to solve the application security problems of today's global business leaders. Through the synergy of the top security software developers and some of the industry's best consultants and researchers, NTO has created the first next-generation, automated technology capable of performing accurate application security audits. Coupled with a comprehensive service offering, including security training services, NTO is uniquely positioned to provide complete application security solutions to today's businesses. About Siebel Systems Siebel Systems is the world's leading provider of solutions that help organizations of all sizes optimize their people, processes, and technology around their customers, leading to outstanding customer experiences and superior business results. Our customer relationship management, business intelligence, and customer data integration solutions are the product of more than $2 billion in direct and partner investment and reflect over 11 years of experience with more than 4,000 organizations. |
||||||||||||||||||||||||||||||||||
