SAN FRANCISCO - The themes at the first day of RSA Conference 2005 were familiar ones: authentication interoperability and Microsoft's dedication to security. Ubiquitous topics indeed, but not necessarily within the average security administrator's realm of control. Don't get me wrong, every administrator should be familiar with Microsoft's security initiatives, but not to the detriment of some closer-to-home applications. Custom in-house applications deserve more attention from security administrators.
The reason that Microsoft Windows is considered the most vulnerable operating system is the same reason many security administrators ignore possible vulnerabilities in their custom applications. Windows is attacked because it is ubiquitous, which is understandable, so it stands to reason that most security administrators consider their unique custom applications safe. Not so according to Justin Clarke, a vulnerability detection and penetration testing expert at Ernst and Young LLP.
Truly custom applications are usually commissioned by large companies because they have the resources to engage in such an elaborate development lifecycle. These are exactly the type of applications that are ripe for the picking according to Clarke. "If I am a malicious hacker and I break into a custom application that serves 50,000 users, then I own 50,000 users," said Clarke.
Custom applications are subject to the same vulnerabilities as any other application, and securing these vulnerabilities can often be more problematic than securing more common applications. For instance, an in-house application is unlikely to have a patching system in place. Also, if the customization was performed by a third party, getting updates can often involve pouring over old contracts and SLAs.
So what is a security administrator to do? Clarke recommends looking into customizing open source security tools. "Many open source security tools are less applications than they are frameworks," said Clarke. A framework is meant to be extensible and customizable. With a little know-how, open source tools can be modified to detect vulnerabilities within custom applications.
Nessus is a vulnerability scanning tool that comes with its own language called NASL. NASL is similar in style to Python or Perl. Developers can use NASL to write Nessus plug-ins that can specifically test custom applications. See documentation at Nessus.org and the NASL reference manual for more information on customizing Nessus.
Ettercap is probably more well known in the hacker community. It is an open source network sniffer that utilizes TCP/IP packets and is often employed for man-in-the-middle attacks. It can also be extended with the use of plug-ins.
Hydra is a brute force network logon cracker that can be customized with the use of modules. It supports a wide variety of protocols, among them SAP/R3, MYSQL and Cisco AAA.
Even if your shop does not run many custom applications there are benefits to utilizing open source security tools. First, they are free. You may be running more proprietary applications like an Oracle database or SQL Server that has many available vulnerability testing tools, but chances are someone has already written a plug-in or module for an open source tool that can do the same job for less.
Another benefit of customizing open source security tools is the ability to define the various levels of compliance and assurance that is required in different vertical industries, such as healthcare and finance. A custom report can provide specific details regarding your applications compliance to federal laws and standards.
For more information on leveraging open source security tools look for Justin Clarke's upcoming release from O'Reilly called Network Security Tools".
About the author
Benjamin Vigil is a technical editor with our sister site, SearchNetworking. He previously worked as a DBA at a large payment processing institution before he began writing about Windows, Web services and security.
This was first published in February 2005