Are your enterprise business applications secure?
When technology vendors talk about security, you are most likely to be in a discussion about protecting investments in technology systems - preventing unauthorized access through attacks or locking down systems to prevent employees tampering with business information systems. But a problem that is harder to find the answer to is what vulnerabilities exist in the enterprise business applications that companies run. Many companies will try to secure their applications by wrapping security technology around them, but that still does not account for a prime area of vulnerability - the source code of those applications.
The sort of vulnerabilities that can be contained in application source code include the possibility of an attacker exploiting software that contains patches that are out of date to enter a corporate network, perhaps gaining access to sensitive company databases or an intranet. Companies regularly run penetration tests to check for such vulnerabilities -- but most organisations have a huge number of applications within their networks. Plus, organizations in industries ranging from financial services to government to manufacturing are running a plethora of custom-built legacy applications tuned specifically to the needs of their particular operations. Vendors offering packaged software will provide patches for security vulnerabilities in their applications themselves, but proprietary applications are a different matter and there is a huge legacy of source code in applications that were never designed for networking.
If a company is running penetration tests on all of its applications, it is a time-consuming task. And those tests need to be repeated over and over again. There can be few companies that do not suffer from limited IT budgets and resources, and what budget they have is often needed elsewhere. According to some sources, companies are spending up to 80% of their budgets on firewalls and intrusion detection systems -- there is little left in the pot for other projects in such cases. Plus, a host of new regulations such as Sarbanes-Oxley and Basel II place business executives directly in the firing line if there is anything amiss with the business information that they report. That means that they must be absolutely certain about the integrity of their applications.
One company, Ounce Labs from Massachusetts, is actively addressing the problem of application security. It is producing software tools that can run across all applications in a company, analysing the source code and generating a list of where the greatest vulnerabilities lie. This will allow them to fix the greatest vulnerabilities before moving onto the next point of pain. When a problem is found, the software can also push out a patch to all users of the particular application -- getting around the problem of users not proactively updating their security signatures, or of relying on pressed IT staff to actively monitor patches and provide daily fixes to all users. Worse, the problem could even be caused by an internal resource, such as a disgruntled system administrator.
It is always difficult to prove ROI in security implementations, with people looking at such implementations more as insurance or as a maintenance cost. But, according to Ounce Labs president and founder, Jack Danahy, there are many reasons that a company can use for justifying such costs, such as reduced support costs through more effective authentication. Plus, IT resources can be freed up for more value-added tasks than repeatedly testing for vulnerabilities.
And this is an area where there is currently a great deal of interest. Donahy states that competitors are just coming into the market and application software vendors are also taking notice. There many not be many companies actively employing technology such as that from Ounce Labs yet, but companies are actively planning what they can do to secure their applications as part of their overall security measures. And with the threat of attacks from worms and viruses growing daily, as well as regulatory compliance issues driving risk management activities, companies would be wise not to wait too much longer to evaluate issues of application security.
Copyright 2004. Originally published by IT-Director.com, reprinted with permission. IT-Director.com provides IT decision makers with free daily e-mails containing news analysis, member-only discussion forums, free research, technology spotlights and free on-line consultancy. To register for a free e-mail subscription, click here.
For more information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.
- Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.