With the explosion of web applications available for users to transact and achieve their personal and business objectives online, such as online banking, shopping, booking travel and managing financial portfolio, comes a host of new and ever-changing threats to data security.
For a number of reasons, including quick time-to-market, web applications are inherently susceptible to defects and expose a significant risk to organizations. The prevalence of web applications makes this an opportune time for VARs with security expertise.
IDC predicts the web security appliance market to grow at a rate of 23.6 percent per year for the next five years, from $256.7 million in 2007 to $745.4 million by 2012. Such robust growth is not surprisingthe SANS Institute reports that 50 percent of web applications have major vulnerabilities. Web application security is no longer an option, but a must. But what are the top web application security challenges? And how can resellers capitalize on this market by offering web security solutions that address the evolving threatscape for their customers?
THE SECURITY PARADIGM SHIFT
Web applications have fundamentally changed the security gamebut your customers may not fully understand that yet. Most IT professionals have traditionally been responsible for securing networks with established technologies such as network firewalls, intrusion detection systems (IDS) and SSL VPNs. In addition, corporate networks are relatively static from environment to environment. Web applications, however, are dynamic. Companies may have dozens or even hundreds of web applications available on their web sites, and many of these applications change every day.
No two web applications are the same, which means that, while two competing banks may offer online bill pay functionality, the underlying web applications powering the function are entirely different. As such, web applications can originate from multiple sources, including internal development, outsourcing, third party packages or inherited through merger or acquisition. It is especially challenging to secure web applications when the application code may not even be accessible.
WEB APPLICATION SECURITY CHALLENGES
By educating your customers about the challenges specific to web application security, resellers and systems integrators can add significant value and establish a clear, compelling case for deploying a web application firewall or adding a web application security service via a hosted offering.
Top security challenges your enterprise customers face include:
Encrypted traffic More than 50 percent of network traffic in a corporate environment is encrypted with SSL to protect the exchange of sensitive information between customers, partners and employees. While many network security technologies market themselves as protecting against encrypted threats, they often fall short. For example, intrusion detection systems (IDS) and intrusion protection systems (IPS) are seldom capable of looking inside encrypted streams therefore requiring termination of SSL upstream in the data path. IDS/IPS technologies are designed to inspect inbound traffic and do not understand the context of a web conversation. In short, SSL equates to IDS evasion for hackers.
Session Tracking Since HTTP is a stateless protocol, session tracking must be built in by application developers. Creating or implementing a secure session management system is often not the priority for development teams struggling to build applications on time and on budget under competitive market demands. Session management weaknesses open the door for hackers to exploit application code. For example, hackers often exploit insecure session management with an attack called session hijacking or cookie poisoning resulting in user privilege escalation. These tactics can only be detected by maintaining a server-side user session state tree to detect when a session tries to impersonate another.
Organizational Considerations Application rollouts are usually driven by competitive demands with functionality, availability and performance taking a higher priority than security. Development teams often do not have time to fully test an application. Unfortunately, reusing insecure code can further propagate vulnerabilities, as organizations rarely have implemented a feedback loop from production into design and development. Fortunately, compliance drivers, such as the Payment Card Industrys Data Security Standards, are forcing organizations to change their approach to how they secure their applications.
THE CASE FOR WEB APPLICATION SECURITY TECHNOLOGIES
While the challenges of securing web applications seem severe, the cost of data leakage is even steeper. Since January 2005, more than 215 million records containing personal information have been stolen, according to the Privacy Rights Clearinghouse. And a 2007 Ponemon Institute study found that the financial impact of identity theft breaches are on the rise with an average cost of $6.3 million per incident.
Today, approximately 80 percent of successful attacks against organizations are occurring due to exploitation of vulnerabilities in Web applications. Attackers are able to exploit insecure code within applications to gain access to confidential data. More specifically, MasterCard has stated that SQL injection is the top reason for card data compromise.
While web applications offer new and convenient ways to interface with consumers online, they also expose organizations to significant risk through threats such as SQL injection or Cross Site Scripting. Hackers are actively analyzing applications to understand them and exploit their underlying mechanisms. Resellers need to educate their customers about how to maintain the integrity of web applications.
Web application defects are directly tied to security vulnerabilities, lost revenues, and dissatisfied customers. Testing alone cannot uncover all vulnerabilities. Using a web application firewall that offers real-time monitoring for defects and protection against attacks of production applications is essential. The results should be used not only to block attacks, but to work closely with development teams and application owners to remediate weaknesses in the code itself.
About the author
Sanjay Mehta (pictured), senior vice president at Breach Security, has more than a decade of experience driving revenue growth and strategic business opportunities for technology companies, resellers and systems integrators.