CSI 2007: Developers need Web application security assistance

By Bill Brenner, Senior News Writer 06 Nov 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

ARLINGTON, Va. -- Security luminaries have warned about the dangers of Web 2.0 applications for nearly two years, but now it's time to help developers create safer code, industry experts said Monday during the CSI 2007 security conference.

Developers are not anti-security, but they'll only build what we tell them to build and nobody's asking them to do security. Michael Sutton, security evangelist, HP SPI Dynamics

Web application security is a major theme at the Computer Security Institute (CSI) event this year, with a full slate of presentations dedicated to the subject. Presenters repeated the warning that corporations are in too much of a hurry to offer Web-based applications that allow customers to do more business online. As a result, developers are churning the applications out with no regard for security.

It's not that developers don't care about security. It's that they're under so much pressure to quickly churn out Web-based services that they don't have time to think about it, said Michael Sutton, security evangelist with SPI Dynamics, now part of Hewlett-Packard Co. (HP). He said it's time to create an atmosphere where they can write code with fewer holes.

"Developers are not anti-security, but they'll only build what we tell them to build and nobody's asking them to do security," Sutton said. "That has to change."

He said companies have always operated under the assumption that IT is responsible for security and not the Web developers. The problem is that once faulty applications are launched, IT can't provide the fix. The fix must occur by rewriting the code. But there are ways IT can help the developers get it right. Peer training is one example, where IT security staff can train developers to be more security-aware.

Secure software development: Tech vendors team up for secure software development: A new group of technology vendors, including Microsoft and Symantec, are joining together to raise awareness about the need for more secure code. Ten dos and don'ts for secure coding: Security practitioners should understand how developers introduce security vulnerabilities into applications and work to support the developers in improving code quality. Will Web application security vendor mergers present better opportunities for buyers? To meet the growing sophistication of Internet threats, security solution providers are feeling pressured to expand their application infrastructures. How to develop an effective application security strategy: In this Ask the Expert Q&A, our application security expert discusses tools and tactics to consider when developing a secure and effective application security strategy.

"Don't try to turn the developers into security experts because that's not going to work," Sutton said. "But you can give the folks who work in the application building and quality assurance departments the knowledge they need to find a lot of this stuff."

He said the key is to make security part of every step in the development process -- planning, requirements, design, building, quality assurance and production. The best opportunity to find problems before they're baked into the final product is in the build and quality assurance phase.

Loss of IT control
Steve Orrin, director of security solutions at Intel Corp., said one of the biggest dangers is the externalization of application functionality and the loss of internal control. This is a big problem for IT administrators because the tight perimeter they've created is useless against attacks targeting Web services, he said, underscoring why developers must play more of a security role.

"When you use Web services, hackers have a much easier time getting at your legacy applications and launching attacks based on SQL injection, cross site scripting and other methods," he said. One thing many people don't realize is that in the XML world, cross site scripting attacks live on long after the initial submission to the Web site. Every time users log into the Web application the attack is launched. And, Orrin said, the attacker only has to target the Web site and not all the individual users.

Since IT shops lack the resources to deal with the problem, Orrin said the best solution is for the information security community and consumers to step up pressure on those who offer Web 2.0 technology.

"The big point I want you to leave here with is that we have to beat up on the vendors to make this stuff more secure" during the development process, he said.

Josef Brunner, security solutions manager at Enterasys Networks, said the security problem is exacerbated by the fact that Web applications have been created in an amateur-hour setting where "everyone and their dog can create Web services and every single one of them is a disaster."

Brunner expressed particular concern for how the Simple Object Access Protocol (SOAP) is used in Web services. SOAP is a way for a program running in one kind of operating system such as Windows 2000 to communicate with a program in the same or another kind of an operating system such as Linux by using the Hypertext Transfer Protocol (HTTP)and its Extensible Markup Language (XML) as the mechanisms for information exchange.

SOAP is platform-independent and allows users to bypass whatever security devices are on the network, Brunner said, adding that encryption tends to be the only security mechanism for SOAP. "SOAP is very flexible and dynamic, which is always bad from a security standpoint," he said.

SOAP tends to be encrypted by an inconsistent set of methods and so there's no way for security professionals to break and inspect the traffic for trouble. Making matters worse, he noted that SOAP servers are connected to critical back-end systems attackers can compromise with the right exploits.

Brunner's suggestions for improving the situation include securing SOAP servers with host-based IDS to prevent buffer overflow attacks, and, above all, demanding better application security, which means training developers to do better.

Tags: Software Development Methodology,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary