email article printer friendly

Achieve Quality by Securing Web Applications
Quality and testing best practices are necessary for delivery of applications that meet today's protection and integrity needs.
by Peter Varhol

November 17, 2006

Despite the recent industry focus on securing corporate networks, cyber intruders are still succeeding in breaking into enterprise applications and compromising data. Their success has cost millions of dollars in lost business and IT resources required to correct the problem and redeploy applications. The protections that have been taken over the last several years are preventing a lot of casual attacks without a specific intent in mind. But the number of successful attacks demonstrates convincingly that these efforts aren't good enough.

Where are current tactics failing to block more attacks? According to Gartner, 75 percent of successful attacks occur through the application, rather than through the network or operating system. This finding indicates that today's security problem does not involve the infrastructure directly; it has to do with the applications that use that infrastructure.

The problem is especially apparent in Web-based applications. Web applications—in particular, those created for use outside of the enterprise—are readily accessible to intruders, and the Web applications' nature and architecture provides for easy access to application code. In addition, developers often use coding practices that, while correct and functional, can unintentionally provide ways for intruders to access the application at a high level of privilege.

One reason for these security vulnerabilities is that developers have an incomplete picture of who is trying to get into their applications. A rogue hacker seeking to intrude primarily as a technical challenge might have been an accurate image during the early days of the Internet, but two other types of hackers have proved more threatening in recent years.

The first is an internal intruder, the disgruntled or dishonest employee, who already has at least some level of access to the network and quite possibly the target application. This type of person might be motivated by thoughts of riches or revenge, and because most enterprises don't adequately protect from an intrusion from inside, this person's attack can be accomplished relatively easily.

The second is a professional intruder, the person who does hacks for a living. Organized crime has discovered the Internet. A skilled person is hired to fake financial transactions or obtain confidential information that can be sold. Terrorists and spies have also become adept at getting information for their own nefarious purposes.

These new types of cyber intruders have prompted enterprise IT organizations to rethink the traditional practice of protecting only the infrastructure. Firewalls, virus checkers, and network traffic analyzers are an important part of securing the enterprise, but today's IT specialists acknowledge that anyone who is able to overcome these defense mechanisms can easily gain further access to systems and data. As a result, organizations are expressing growing interest in building more secure applications.

This interest has several significant implications within the application development life cycle. To properly address security once an application is deployed, you must consider it at each step in the life cycle—the requirements, design, development, and test phases. Security must have visibility similar to application performance and scalability in all decisions made during the application life cycle.

Poor security reflects on the quality of an application. A security hole is a bug that can cause more harm than many other types of common application bugs. But with a combination of good coding practices and testing, you can prevent security bugs, as you would these other types of bugs.

Building security into an application during development presents a technical challenge because no application can be completely secure. You might find thousands of intrusion paths into an otherwise perfectly functional application, including paths that have not yet been discovered. Even a small Web application can have hundreds of different security holes.

Your goal as part of the development team is to ensure that a large proportion of the serious and critical security weaknesses are resolved so that intruders can not find an easy way into an application. If an application is too difficult to hack, the vast majority of intruders will move on to easier targets. Even if attempts to break into a specific application continue, you will find that making intrusion more difficult offers better opportunity for IT professionals to discover and respond.