Application security has been a steadily growing focus area of enterprise information security programs. Following many security breaches, affecting small and large corporations alike, businesses are finally giving application security the attention it has always deserved. It is a rapidly expanding field for software assurance tools, expertise and regulatory requirements. The financial industry has integrated a thorough set of application security requirements into the Payment Card Industry (PCI) Security Standard. The DoD has also taken an aggressive approach to securing its applications.
Many of today’s application security problems can be traced back to a lack of understanding of the inherent risks facing web applications. Developers often write their code while oblivious to these risks, not understanding that the security of the application and associated database begins and ends with their code. Developers and network security staff simply didn’t (in many cases still do not) understand a key concept of securing web applications – you can’t do it with traditional network perimeter security mechanisms. There are three generalized ways to “secure” a web application – match perfectly secure code with secure databases and architectures; a perfectly secure and properly implemented web application firewall (WAF); or unplug it from the network and disconnect power. The first two are difficult, at best, to achieve and neither will always be perfect, so it is important to take a layered security approach to web applications. The third, disconnecting, provides protection but obviously isn’t very practical.
There are always new exploits being discovered that take advantage of new technologies making web application security a constantly evolving process to stay ahead of the attackers. WAF’s have been, and will continue to be, subverted when the motivation to exploit an application becomes sufficient to justify the effort. There are no silver bullets for any aspect of security; web application security is no different. The only chance you have is to implement a software assurance program that focuses on awareness, secure coding practices and integrating software assurance tools into your Software Development Life Cycle (SDLC). If you’re not doing these things you’re a prime target for attackers, and the fight isn’t going to be a fair one.
B-Side Track