Changing the paradigm
In order to break this cycle, we must change the waythat we fundamentally approach application security.Gone are the days when anyone involved in applicationdevelopment can say “Security is not my responsibility.”Security is everyone’s responsibility as it has severeimpact on the business if not taken seriously. We mustintegrate security throughout the SDLC, not just hastilyadd it to the end. This integration will only occur if weinvolve developers, QA teams, and the managementin security. Making such a fundamental shift will nothappen overnight, but it is essential if we are to stem thetide ofapplications riddled with security vulnerabilitieswhich offer multiple attack vectors and leave enterpriseswide open to attack.
Costs of failing to build secureapplications
Today, the Internet has become an easy target forattackers. With as many as 85% of web sites vulnerableto attack
, it is no wonder that the attackers have shiftedtheir focus to web applications as an entry point intocorporate networks. This, along with the fact that theweb has evolved from being an online, accessiblepresence to now delivering mission-critical applications,means that web-application security is now a criticalcomponent of the overall enterprise security. Despitethis fact, traditional development and QA cycles forbuilding web applications do not incorporate securityinto existing processes. This inability to test and rectifyvulnerabilities before an application goes into productionleaves confidential data within a web application at riskfor attack or misuse.The costs of a security breach can be significant. The2007 CSI Computer Crime and Security Survey
foundthat the average reported loss among survey respondentsamounted to $350,424, which was more than a two-foldincrease from the previous year. Additionally, thePonemon Institute’s 2006 Annual Study, Cost of a DataBreach, found that the average cost per lost customerrecord amounted to $182. This amounted to an overallaverage cost of $4.8 million per breach. While thesestatistics are not exclusive to web application attacks,corporate web applications are a common attack vectorfor accessing confidential data.Industry analysts estimate that the failure to identifyand repair security vulnerabilities during the softwaredevelopment process can carry extra costs. Removing adefect after software is operational can cost betweentwo and five times as much as correcting the error withinthe development and QA process.Moreover, by incorporating security testing by QAteams, the following opportunities to reduce the costsof vulnerability remediation exist:•Defect correction during code and unit tests canreduce the cost impact by a factor of between threeand 20 percent.•If 50 percent of software vulnerabilities were removedprior to production use, enterprise management costswould be reduced by 75 percent. Add increasing accountability for proof of regulatorycompliance due to government and industry mandates,and the need for integrating methodical securityassessment into the application quality or deliveryprocess becomes clear.
Application Security is a quality issue
Many—if not most—businesses deploy web-basedtechnologies under the assumption that gateway securitymeasures such as firewalls and intrusion detection andprevention systems (IDS/IPS) are sufficient to protect webapplications from attack or misuse. This is a dangerousassumption. Web applications, by design, are exposedexternally or to predefined internal populations, generallyon port 80 (HTTP) or port 443 (HTTPS). A firewallwill do nothing to protect a web application fromvulnerabilities at the application layer; it can only beused to restrict who can access the application in thefirst place. IDS and IPS systems on the other hand relyon signature-based rules to detect anomalous behavior. Web applications are custom applications, not off theshelf software components. Due to customization andever-changing nature of web applications, it isextremely difficult to write IDS/IPS signatures that willdo anythingmore than detect the most basic attacks.The majority of vulnerabilities in web applicationsreside in the custom business logic of the applicationitself. Compensating controls provided by externalproducts are temporary solutions which seek to hidethe vulnerability. It is typically only a matter of timebefore an attacker identifies an alternate entry pointor is able to encode an attack in such a manner thata signature-based technology is unable to detect theattack packet. Only by correcting the vulnerable codeis it possible to fully protect the application. It is for thisreason that developers, QA teams, and the managementmust share in the responsibility of developing securecode. Auditing a web application either prior to orfollowing release into production simply is not sufficient