eGuideIn this eGuideApplication SecurityImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for Cybercrimina...
2 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
3 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
4 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
5 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
6 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
7 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
8 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
9 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy,...
10 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy...
11 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy...
12 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy...
13 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy...
14 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy...
15 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy...
16 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy...
Upcoming SlideShare
Loading in …5
×

Application Security

387 views
320 views

Published on

Enterprises around the world are facing what could be called the most aggressive threat environment in the history of information technology.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
387
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Application Security

  1. 1. eGuideIn this eGuideApplication SecurityImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityEnterprises around the world are facing what could be called the most aggressive threat environment in the history ofinformation technology. Disruptive computing trends are emerging that offer increased employee productivity and businessagility, but at the same time introduce a host of new risks and uncertainty. Applications are no exception – the ways thatdevelopers create the programs that support the business are always evolving, but security measures to protect these newapplications struggle to keep up. When it comes to commercial applications, patching security holes is a must – yet sooften these holes are left unplugged and vulnerabilities find their way into the corporate network.In this eGuide, CIO and sister publications CSO and InfoWorld bring you news, opinions, research and advice regarding therisks that enterprises face from lackluster application security, and steps that can be taken to improve IT defenses. Readon to learn more about application security trends and approaches for today’s insecure world.ResourcesHow to ImproveYour ApplicationSecurity PracticesThe number of seriousvulnerabilities in applica-tions are declining, but theyare still common. Improvingyour application securityposture requires determin-ing whether you’re a targetof opportunity or a target ofchoice and understandingyour development lifecycleIs Application Secu-rity the Glaring Holein Your Defense?Organizations on averagespend one-tenth as muchon application security asthey do on network security,even though SQL injectionattacks are the highest rootcause of data breaches.Experts say educating devel-opers in writing secure codeis the answerThird-party AppsRipe Targets forCybercriminals86% of all vulnerabilitiesin 2012 pinned to non-Microsoft apps3 Questions: Etsy,Ecommerce andApplication SecurityDinis Cruz on what we do,and don’t, know about websecurity practicesSurvey RaisesSpecter of MassiveEnterprise SoftwareInsecurityAnnual Sonatype surveysuggests enterprise appdevelopers are leavinghuge security holes withuse of open sourcecomponentsThe Two Stepsto Radically BetterSecurityStop wasting your moneyand do computer secu-rity right with two common-sense practicesApplication SecurityResourcesTips and tools to help makeyour critical applicationsmore secureSponsored by
  2. 2. 2 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesHow to ImproveYour ApplicationSecurity PracticesBy Thor Olavsrud • CIOOrganizations talk a good game when it comes to security,but many still focus the majority of their security resourceson the network rather than their applications--the vectorfor most data breaches. Many organizations dedicate lessthan 10 percent of their IT security budget to applica-tion security, according to a study by research firm thePonemon Institute, released in 2012.The reasons for this gap are multifaceted, says Jere-miah Grossman, founder and CTO of WhiteHat Security,provider of a continuous vulnerability assessment andmanagement service for thousands of Web sites, includ-ing the Web sites of dozens of Fortune 500 companies.First, he says, many security professionals have a blindspot for software.“Most of the security guys out there are not softwarepeople,” he says. “They come from an IT background. Allthey really know how to do is protect the network.”Second, regulatory compliance and the cruft thatcomes with regulations based on past threats also play arole in Grossman’s view. “Organizations must comply,” hesays. “They spend the lion’s share of their budget first onfirewalls and antivirus because the compliance regulatorsmandate it.”Prioritizing Application SecurityIs a ChallengeIt is often difficult for the organization to prioritize applica-tion security over revenue-generating development work,he says. Even when organizations identify serious vulner-abilities in their Web sites, it’s not necessarily a simpledecision to fix them.“The organization has to fix it themselves,” he says.“The business has to decide: ‘Do we create revenue-gen-erating features this week? If we don’t deliver those fea-How ToImproving your application security posture requiresdetermining whether you’re a target of opportunityor a target of choice and understanding your develop-ment lifecycle
  3. 3. 3 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcestures on time or at all, we will for a fact lose money. Notfixing the vulnerability may potentially cost the businessmoney.’ They have to make a decision.”Application Vulnerabilitieson the DeclineEven with these challenges, Grossman says the applica-tion security landscape shows signs of improvement. While2011 was dubbed the Year of the Breach—based on a mul-titude of high-profile breaches of companies like RSA, Sony,Facebook and Citigroup, not to mention the CIA and FBI—2011 was also a year in which the average number of seri-ous vulnerabilities in Web sites showed a marked decline.For 12 years, WhiteHat has put together its WhiteHatSecurity Website Security Statistics Report based on thevulnerabilities it finds in the Web sites it assesses. The2011 installment, based on the examination of criticalvulnerabilities from 7,000 Web sites across major verticalmarkets, found an average of 79 serious vulnerabilitiesper Web site, a drastic reduction from the average of 230it found in 2010 and 1,111 it found in 2007.“These are real-world Web sites,” Grossman says. “Iwould guarantee that you have accounts and data inmany of the sites we test.”Of course, that single statistic doesn’t tell the wholestory. While the average came in at 79 serious vulner-abilities, the standard deviation was 670: Some Websites expose a lot more vulnerabilities than others. Also,according to Netcraft, there are roughly 700 million Websites on the Internet and tens of millions more are comingonline each month. While it’s a large sample, 7,000 Websites is just a tiny fraction of the whole.Still, WhiteHat’s findings paint a picture of the state ofWeb site security today; a picture in which Web site securityis slowly improving. The banking vertical continued to showits dedication to security: Banking Web sites again pos-sessed the fewest serious vulnerabilities of any industry withan average of 17 serious vulnerabilities per Web site. Bank-ing also had the highest remediation rate of any industry at74 percent. Every industry, with the notable exceptions ofhealthcare and insurance, showed improvement from 2010.Additionally, time-to-fix showed vast improvement,dropping to an average of 38 days-much shorter than theaverage of 116 days in 2010. “The developers know that38 days is actually a really, really good number becausethey know how long it does take,” Grossman says. “But tothe end users, 38 days is unacceptable.”Steps to Improve Your Security PostureTo improve your application security posture and makethe best possible use of your IT security budget, Gross-While 2011 was dubbed theYear of the Breach, it was also a year inwhich the average number of serious vulnerabilities inWeb sitesshowed a marked decline.Half empty orhalf full?
  4. 4. 4 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesman suggests you first determine whether you are a targetof opportunity or a target of choice. Targets of opportu-nity are breached when their security posture is weakerthan the average organization in their industry. Targets ofchoice possess some type of unique and valuable infor-mation, or perhaps a reputation or brand that is particu-larly attractive to a motivated attacker.“On the Web, if you’re doing business of any kind, you’regoing to be a target of opportunity,” Grossman says. “Ev-erybody has something worth stealing to a bad guy thesedays. Other companies are a target of choice becausethey have something the bad guys want: your credit cardnumbers or IP or customer lists. This aligns with how se-cure you need to be. No one needs perfect security.”If you determine you’re a target of opportunity, Gross-man says, you need to make sure that you are a little bitmore secure than the average business in your category.He notes organizations can use the data in its free White-Hat Security Website Security Statistics Report to bench-mark where they need to be.Targets of choice, on the other hand, need to makethemselves as secure as they possibly can and then pre-pare plans for how to react when they are breached sothey can minimize the damage as much as possible.Grossman also recommends that organizations hackthemselves in an effort to understand how attackers willapproach their Web sites. Additionally, he says organiza-tions need to understand their benchmarks: which vulner-abilities are most prevalent in their Web sites, what’s theirtime-to-fix, their remediation percentage, average windowof exposure, etc.If you consistently see vulnerabilities of a particulartype, like cross-site scripting or SQL injection, it’s a signthat your developers need education in that issue or yourdevelopment framework may not be up to snuff. If yourtime-to-fix is particularly slow, it’s a good bet that you havea procedural issue-your developers aren’t treating vulner-abilities as bugs. If you consistently see vulnerabilities re-opening, it suggests you have a problem with your ‘hot-fix’process-high-severity vulnerabilities get fixed quickly butthe change is back-ported to development and a futuresoftware release overwrites the patch.“Understand your software development cycle,” Gross-man says. “Understand where you’re good, where you’rebad and make your adjustments accordingly.” •
  5. 5. 5 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesWhen it comes to security, a large number of organizationshave a glaring hole in their defenses: their applications.A recent study of more than 800 IT security and devel-opment professionals reports that most organizations don’tprioritize application security as a discipline, despite thefact that SQL injection attacks are the highest root causeof data breaches. The second-highest root cause is exploit-ed vulnerable code in Web 2.0/social media applications.Sixty-eight percent of developers’ organizations and 47percent of security practitioners’ organizations suffered oneor more data breaches in the past 24 months due to hackedor compromised applications. A further 19 percent of secu-rity practitioners and 16 percent of developers were uncer-tain if their organization had suffered a data breach due toa compromised or hacked application. Additionally, only 12percent of security practitioners and 11 percent of develop-ers say all their organizations’ applications meet regulationsfor privacy, data protection and information security.Despite the data breaches resulting from hacked orcompromised applications and the lack of compliancewith regulations, 38 percent of security practitioners and39 percent of developers say less than 10 percent of theIT security budget is dedicated to application security.“We set out to measure the tolerance to risk acrossthe established phases of application security, and de-fine what works and what hasn’t worked, how industriesare organizing themselves and what gaps exist,” saysDr. Larry Ponemon, CEO of the Ponemon Institute, theresearch firm that conducted the study on the behalf ofsecurity firm Security Innovation. “We accomplished that,but what we also found was a drastic divide between theIT security and development organizations that is causedby a major skills shortage and a fundamental misunder-standing of how an application security process shouldbe developed. This lack of alignment seems to hurt theirbusiness based on not prioritizing secure software, butIs Application Security theGlaring Hole inYour Defense?Organizations spend one-tenth as much on applicationsecurity as they do on network security. Experts sayeducating developers in writing secure code is the answer.By Thor Olavsrud • CIOMarket Research
  6. 6. 6 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesalso not understanding what to do about it.”The study found that security practitioners and develop-ers were far apart in their perception of the issue. Whileone might expect that security practitioners held the morecynical views with regard to application security, in factthe opposite was true. Dr. Ponemon says 71 percent ofdevelopers say application security was not adequatelyemphasized during the application development lifecycle,compared with 49 percent of security practitioners who feltthe same way. Additionally, 46 percent of developers saytheir organization had no process for ensuring security isbuilt into new applications, while only 21 percent of secu-rity practitioners believed that to be the case.Developers and security practitioners are also dividedon the issue of remediating vulnerable code. Nearly half(47 percent) of developers say their organizations have noformal mandate to remediate vulnerable code, while 29percent of security practitioners say the same.The survey also found that nearly half of developers saythere is no collaboration between their development organi-zation and the security organization when it comes to appli-cation security. That’s a stark contrast from the 19 percentof security practitioners that say there is no collaboration.Lack of Collaboration inApplication Security“We basically found that developers were much more likelyto think there was a lack of collaboration,” Dr. Ponemonsays. “The security folks, on the whole, thought the collabo-ration was OK. I think that one of the biggest problems isthat the security folks think they’re getting the word out oncollaborating or helping, but they’re not doing so effectively.”In other words, Dr. Ponemon says, the security organi-zation writes its security policy and gives it to developers,but the developers, by and large, don’t understand howto implement that policy. The security organizations thinkthey’ve done their job, but they haven’t managed to maketheir policy contextual for developers.“We find that process has no bearing whatsoever onthe ability of an organization to write secure code,” Dr.Ponemon says. “It doesn’t take any longer to write a line ofsecure code than it does to write a line of insecure code.You just have to know which one to write.”But knowing which line of code to write seems to be alarge part of the problem. The study found that only 22percent of security practitioners and 11 percent of devel-opers say their organization has a fully deployed applica-tion security training program. Fully 36 percent of securitypractitioners and 37 percent of developers say theirorganization had no application security training programand no plans to deploy one.•71 percent of developers say application security was not adequately emphasized during theapplication development lifecycle;46 percent say their organization had no process for ensuringsecurity was built into new applications;nearly half say there is no collaboration between theirdevelopment organization and the security organization when it comes to application security.App security :a hot potato
  7. 7. 7 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesThird-party Apps Ripe Targetsfor CybercriminalsThird-party apps continue to be juicy targets for byte ban-dits, primarily because the programs are rife with vulnera-bilities, according to a report by Copenhagen-based Secu-nia, a maker of vulnerability solutions. The main threatto end-point security for corporations and individuals isnon-Microsoft applications.In fact, the share of vulnerabilities attributed to non-Micro-soft programs has jumped in the last five years, from 57% in2007 to 86% in 2012, Secunia said. That contrasts sharplywith Microsoft’s share of the vulnerability problem -- 5.5%in its operating systems and 8.5% in its software programs.While Microsoft used to be a popular target for Internetriff-raff, that’s no longer the case. “We’ve seen an increaseover the past 10 years in the focus of cybercriminals onthird-party applications,” William Melby, a senior accountexecutive with Secunia, said in an interview.There’s at least two reasons for that, according to WesMiller, a research analyst with Directions on Microsoft in Kirk-land, Wash. “They’re pervasive and they’re not as diligentabout how they design and patch their software,” he said.“Ironically, Windows was the target for the longest timebecause it was so ubiquitous and while it’s still ubiquitous,I think the bad guys are looking for lower-hanging fruit nowlike Reader and Flash and Java and iTunes,” he said. “Allthose things that are pseudo cross-platform -- at least forMac and Windows -- become a tempting threat vector.”Microsoft is benefiting from investments it made in writ-ing more secure code over the last decade, according toStefan Frei, a research director at NSS Labs in Austin, Texas.“Microsoft vulnerabilities dropped drastically from 2011 to2012,” he said. “That’s made successful exploitation of Mi-crosoft’s programs much, much harder.”While attention was focused on bolstering the securityof Microsoft’s products, little pressure has been exerted onthird-party vendors to clean up their acts, he said. “Whencybercriminals suddenly shifted their interest to third-partyprograms, those software makers were caught with theirpants down.” Not only has Microsoft improved the quality ofits software code, all of its products can be updated througha single process, Melby explained.“Third-party updates are more complicated,” he said. “Youmight have to reach out to 30 or 40 vendors to get updates.”Secunia researchers discovered more than 2,500 pro-By John P. Mello Jr. • CSOMarket Research86% of all vulnerabilities in 2012 pinned tonon-Microsoft apps
  8. 8. 8 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesgrams with more than 9,700 vulnerabilities in 2012, anaverage of four per product. And while software makers ap-pear to have been keeping pace with the vulnerabilities asthey’re found -- 84% of the vulnerabilities had fixes for themon the day they were revealed -- the patches aren’t beingapplied in a timely way.Traditionally, the focus of IT departments has been tokeep Microsoft’s software up to date and let third-partypatches slide, Melby explained. “It’s not good enough tojust to patch Microsoft applications anymore -- not with thenumber of vulnerable third party applications running onany given system,” he said.•“When cybercriminals suddenly shifted their interest tothird-party programs, those software makers were caughtwith their pants down.”— Stefan Frei,research director,NSS LabsPants-on-the-ground apps
  9. 9. 9 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResources3 Questions: Etsy,Ecommerceand Application Security‘Add to cart’. ‘Click to buy’. —What could be simpler?Well, web commerce may be simple indeed, but whetherit’s secure is another question.CSO asked Dinis Cruz for some quick insights into thestate of application and ecommerce security online. Cruzis leader of the Open Web Application Security Project(OWASP) O2 platform project and principal security en-gineer at Security Innovation, which provides curriculum,training and services around application security.CSO: What are the big issues with application security?Cruz: One of the biggest challenges we have from asecurity point of view is that most development isbroken from a process point of view. A lot of companiesstruggle just to have a development life cycle, let aloneinjecting security into it. It’s code security really. Mobileapps have the same issues. They live in a bit more ofa controlled environment.CSO: You’ve blogged about Etsy, the social e-commercecompany, and what you (as an outside observer) think itgets right with its application security. What do you likeabout Etsy’s app security?Cruz: First, I am not involved with them at all.If you look at their blog, at their presentations, theyare introducing a lot of visibility into what’s happeningwith the application. They have a system that’s so slickand mature that they can blog about it. That speaksvolumes about what happens behind the scenes. [Edi-tor’s note: Etsy declined to speak to CSO about theirsecurity practices.] They show how you add value bygiving (developers) visibility metrics—how it works, howit fits together, and the other changes that happen whenyou make a change. I like their focus on ‘If you have tofix security, you have to fix development.’They really have a very good view of how security canadd value to development. They make it so developers don’tview security like a tax, a pain point you have to go through.If you can make security add value, then developers want toengage with it.Q&ABy Michael Fitzgerald • CSODinis Cruz on what we do, and don’t, know aboutweb security practices
  10. 10. 10 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesCSO: Are you concerned about the state of app security?Is it improving?Cruz: It’s a disaster with a capital D. The good news is wedon’t have more attackers with very strong business mod-els. And, the industry is finally starting to pay attention, anddoing a much better job of how to develop applications,instead of waiting to get attacked spectacularly.Etsy stands out. They are not the norm.What’s interesting is, [what they’re doing] should benormal. If you go to any other industry—well, look at thehorsemeat in the food chain story that’s happening now.They’re now talking about evaluating [products labeledas] beef and making sure they know what’s in there. Theyshould do that for software. We build all these applicationsand frameworks, and very few people understand them. Webuy all these products without pragmatic information abouthow secure they are.Etsy’s probably best-in-class, but the information wehave is very fuzzy. We have information from a blog. It’snon-verifiable, not independently auditable. We’re relyingon them to do the right thing and they seem to be, but wedon’t know. And they’re one of the best.If that were food you were buying, you wouldn’taccept that.•“The state of app security is a disaster with a capital D.”— Dinis Cruz,OpenWeb Application Security Project lead,principal security engineer,Security InnovationBlunt with acaptal‘B’
  11. 11. 11 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesSurvey Raises Specter of MassiveEnterprise Software InsecurityYou’re studiously virus checking your desktop systems,and all your server applications are running on platformsthat are regularly updated. But what about the applica-tions themselves -- are they secure?Sonatype recently released results of the annual OpenSource Software Development Survey, which looks at theextent to which developers use open source components,with a particular focus on how they balance the compet-ing needs of speed and security. Sonatype surveyed 3,500people from more than 50 countries -- more than 85 per-cent of them developers -- to understand their approachesto assembling software. The results show the massive ex-tent to which developers now rely on components: At least80 percent of a typical Java application is now assembledfrom open source components and frameworks.This has been the case for many years, but the full matu-ration of the concept of component assembly rather thanwriting code from scratch is well illustrated -- albeit with afocus mainly on Java components. The popularity of toolslike Node Package Manager (npm), CPAN, and more re-cently PHP Composer suggests Sonatype’s findings prob-ably reflect a general trend independent of the languageused. Ask any employable developer and they will tell you:Components are the way things get built.However, this raises new issues. Sonatype has deter-mined that developers are not keeping up to date withsecurity issues. The survey reports that 71 percent of theapplications being built using components from its serviceuse at least one component version with known securityissues and for which updated versions exist with those is-sues addressed. In 2012, 46 million insecure versions ofcomponents were downloaded. Security used to be a mat-ter of keeping your off-the-shelf or LAMP-stack software upto date and fully patched, but that’s not a safe assumptionany more.I asked Sonatype CEO Wayne Jackson if there was anyevidence of an increase in the number of critical securityissues at CERT -- known as CVEs -- that arise from com-ponent exploits rather than exploits on finished software.By InfoWorld Tech WatchMarket ResearchAnnual Sonatype survey suggests enterprise appdevelopers are leaving huge security holes with useof open source components
  12. 12. 12 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesHe investigated and found that there were. While in 2006there were just eight CVEs that identified a component asthe source of the risk, by 2012 that number had risen to50. Today, if you want to keep your company secure it’s notenough to just keep your platforms up to date. You alsoneed a policy that keeps your applications secure.It’s also possible this problem is more distinct with Maventhan with other component repositories, since Maven fixesthe version number in the POM rather than offering versionranges. Certainly JavaScript programmers using npm andPHP programmers using PHP Composer are able to specifythat use of subsequent minor versions that don’t break APIcompatibility is acceptable, and update their software witha simple command. But this isn’t just an open source is-sue or even just a Java issue; it’s probable that proprietarycomponents purchased from closed-source suppliers areaffected just as much.Naturally Sonatype has a product to help with the prob-lem, but the root cause is that most of us simply haven’trealized how far developer choice of components has cometo dominate our systems. A black hat hacker can use anexploit on a component as a gateway to systems, and ap-plications in the enterprise that use that component maynever get updated to close the exposure and kill the exploit.The survey found that only 38 percent of the organizationssurveyed have the controls needed to maintain inventoriesof the components in use by their applications and ensuresecurity updates happen.Cyber security is on the national political agenda, but dowe really understand what it takes to be secure? Now thatenterprise development has become component based,rather than using custom code running on off-the-shelf plat-forms, it’s time for enterprise development to wake up andsmell the black hats. They’re targeting your components,not just your servers. •6045301502002 2004 2006 2008 2010 20122003 2005 2007 2009 2011Component-originated CVEs per year 2002-2012
  13. 13. 13 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesTwo Steps to Radically Better SecurityHere’s a shocking fact I’ve learned from 25-plus years ofsecurity consulting: Most security projects fail to improvethe safety of the organizations launching them. Security willbe compromised as frequently after the project as before.To put it bluntly, most computer security projects are awaste of time and money.One reason for this dysfunction is that organizationslaunch way too many projects with woefully unrealisticexpectations about their impact and the level of effort re-quired to do them right. The fact is if all companies dida better job at just two defenses, their companies wouldbe far better protected than if they were to complete thedozen-odd projects they’re attempting to pull off.In many cases, the two defenses I recommend are in-expensive or even free. They don’t require multi-million-dollar projects dragged out for more than a year. Theydon’t demand cutting-edge solutions. They simply requirethat organizations do a better job at two things they’vebeen told to do for decades. And guess what? They work.Stop users from executingmalicious programsMost computers are compromised because users launchmalicious programs. It’s that simple. That’s why applica-tion control is the single best thing you can do to im-prove computer security in your company.The classic example is the fake virus alert, whichprompts the user to install antivirus software that’s actu-ally malware. But of course this ploy extends to other“apps” purporting some benefit, from games to Windowsutilities that are actually malware or spyware. The classicemail attachment ruse still finds suckers who blithelydouble-click on malware pretending to be everythingfrom an invoice to a video of the Zumba lady.Serious, mandatory training for end-users helps a lot,but you can never prevent all users from launching thisstuff all the time. The most secure way to stop users fromexecuting malicious programs is to deploy an applicationcontrol or whitelisting program. I’ve talked a lot about thebenefits of application control programs and even did acomparative review a few years ago. I’ve worked with mostof them, and they’ve all improved over time.Yet in many cases senior management will not backstrict application control. I understand that. I know thechallenges -- particularly with the abundance of newdownloadable apps, particularly mobile ones, whichcarry real user productivity benefits. But understand thatnot implementing strict application control means youwill not be able to reduce malicious risk in your environ-By Roger A. Grimes • InfoWorldExpert AdviceStop wasting your money and do computer securityright with two common-sense practices
  14. 14. 14 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesment beyond a certain point.A less stringent approach is to enable users to down-load and install programs only from trusted applicationstores that ensure the security of their applications.Programs from trusted stores are sometimes found tobe vulnerable to hacking or to have privacy issues. Byand large, those are the exceptions; when caught, theyare immediately removed and eradicated. Plus, mostapps downloaded from application stores are automati-cally updated when security issues are discovered andpatched. That’s great for everyone.A corollary to controlling what can be installed isrestricting who can install it. To prevent the easy in-stallation of programs that have not been reviewed orapproved, don’t let anyone run with elevated privilegesor permissions most of the time. You can do this usingmanual processes, privilege identity management (PIM)products, Microsoft’s User Account Control (UAC), Unix/Linux’s sudoers functionality, or any other method orproduct that accomplishes the same goal.The dirty little secret is that removing elevated privi-leges still won’t seal off your defenses. Lots of mali-cious programs can run or be installed without elevatedsecurity privileges. Malicious programs can accomplishnearly every wanted outcome without the user logged inas Administrator or root. They can steal passwords andidentities, as well as redirect browsers to places the userdidn’t intend to go. Nonetheless, you can reduce risksomewhat if users have fewer privileged accounts whilereading email or surfing the Web.Lastly, don’t neglect end-user education. After ap-plication control, it’s the best way to prevent unwantedprograms from being installed -- when it’s done right.Most end-user education misses obvious points andrefers to outdated threats. Get the backing of manage-ment, conduct mandatory sessions on a regular basis,and ensure your instruction is current and specific toyour organization. When users know what their ownantimalware software looks like, they’re much less likelyto fall for the fake stuff.Patch everything fasterThe other best defense is to patch all software in atimely way. This has been a mantra for more than twodecades now, which is why it’s so surprising that sofew companies patch as quickly as they should. Yes,they’re doing better at patching operating systems, butthey do a horrible job at patching the most popularInternet add-on products, like Oracle Java or AdobeAcrobat, both of which have been ranked as the mostexploited products for years.A corollary to controlling what can be installed is restricting who can install it.Toprevent the easy installation of programs that have not been reviewed or approved,don’t let anyone run with elevated privileges or permissions most of the time.Under yourthumb
  15. 15. 15 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesWebsense recently collected data that showed 74percent of active computers were still susceptible to Javaexploits from 2012. No less than 94 percent were sus-ceptible to the latest patched Java exploit. My personalexperience completely backs up these points. I rarelyfind a patched Java installation. I find unpatched Java onworkstations and servers that have no need for Java. Thissame unpatched Java allows your company to be silentlyinfected over and over.Your company cannot plausibly claim it cares about thesecurity of its data if it fails to patch the most exploitedprogram of the day. I understand the frustrations and chal-lenges of better patching. I understand that we computersecurity people would patch things better and faster if itwas left up to us. But simply not doing this one thing bettermeans you’ll never be free of easy computer compromise.The hackers will always enter your company’s boundariesand steal data and passwords at will. You cannot stop them.Of course it takes more than two computer defenses tomake a complete defense. You still face password-crackinghackers, SQL injections, XSS browser attacks, misconfigu-ration exploits, zero-day vulnerabilities, and so on. But allof those attack types, in aggregate, don’t hold a candle tothe main two problems. Solve them and you’ll be a hero.•
  16. 16. 16 of 16Application SecurityeGuideImprove ApplicationSecurity PracticesThird-party Apps RipeTargets for CybercriminalsEtsy, Ecommerce andApplication SecurityIs Application Security theHole in Your Defense?Massive EnterpriseSoftware InsecurityRadically BetterSecurityResourcesApplication Security ResourcesTips and toolsThe focus of this study is to quantify the economicimpact of cyber attacks and observe cost trendsover time. The loss or misuse of information is themost significant consequence of a cyber attack,and it comes at significant financial cost.Download >>The rapid transformation of mobile computinghas seen security concerns outpaced by theease of use, flexibility, and productivity of mobiledevices. Here we take a look at three of thetop mobile application security threats facingbusinesses today and recommendations on howto mitigate the risk.Download >>Forward-thinking enterprises realize they need tofocus on a sustainable approach to security andrisk management—one that is designed to ad-dress the new wave of vulnerabilities that prevaildue to increasing trends in IT consumerization,mobility, social media, cloud computing, andcyber crime.Download >>The multitude of devices, users, and generatedtraffic combine to create a proliferation ofdata that is being created with incrediblevolume, velocity, and variety. As a result,organizations need a way to protect, utilize,and gain real-time insight from “big data.”So, how do you get started?Download >>2012 Cost of Cyber CrimeStudy:United StatesKnow the BigThreeRethinkingYourEnterprise Security:Critical Prioritiesto ConsiderBig Security forBig DataIn the HP 2012 Cyber Risk Report,HP Enterprise Security provides a broadview of the vulnerability landscape, rangingfrom industry-wide data down to a focusedlook at different technologies, including weband mobile.Download >>2012 HP CyberRisk Report

×