A new Quocirca report underlines the scale of the application security challenge faced by businesses. The average enterprise tracks around 500 mission-critical applications, in financial services organisations it is closer to 800. The security challenge arises because more and more of these applications are web-enabled. Furthermore, businesses are increasingly relying on software provided as a service (SaaS) and apps that run on mobile devices, both of which are, by definition, web-enabled.

Businesses worry about application security for three reasons. First, security failures leave them vulnerable to hackers and malware, secondly auditors expect application security to be demonstrable and third customers, with who they share business processes via applications, are also increasingly likely to seek security guarantees.

There are a number of approaches that can be taken to ensuring better application security. For in-house developed software, best practices can be better ensured through training of developers. For commercially acquired software, due diligence during procurement is necessary, seeking assurances from independent software vendors (ISV). However, these measures can never ensure that software is 100% secure.

For this reason three other approaches which should be considered:

1. Application scanning: scanning software eliminates flaws in the first place. There are two approaches, the static scanning of code or binaries before deployment and the dynamic scanning of binaries during testing or after deployment. Static scanning is pervasive, looking at every line of code. Scans can be conducted as regularly as is deemed necessary. Whilst on-premise scanning tools have been relied on in the past, the use of on-demand scanning services has become increasingly popular as the providers of such services have visibility in to the tens of thousands of applications scanned on behalf of thousands of customers. Such services are often charged for on a per-application basis, so unlimited scans can be carried out, even on a daily basis. The relatively low cost of on-demand scanning services makes them affordable and scalable for all applications including non-mission critical ones.

2. Manual penetration testing (pen-testing): where specialist third parties are engaged to test the security of applications and effectiveness of defences. These are white-hats, deliberately trying to hack applications, but with no bad intent (as opposed to black hats). Because actual people are involved in the process, pen-testing is relatively expensive and only carried out periodically; new threats may emerge between tests. Most organisations will find pen-testing unaffordable for all deployed software and is generally reserved for the most sensitive and vulnerable applications.

3.Web application firewalls (WAF): these are placed in front of applications to protect that from application focussed threats. They are more complex to deploy than traditional network firewalls and whilst affording good protection do nothing to fix the underlying flaws in software. WAFs also need to scale with traffic volumes, more traffic means more cost.

100% software security is never going to be guaranteed and many organisations use multiple approaches to maximise protection. However, interestingly, as one of the reasons for having demonstrable software security is to satisfy auditors, compliance bodies do not themselves mandate multiple approaches for compliance. For example the Payment Card Industry Security Standards Council (PCI-SSC) deems code scanning to be an acceptable alternative to a WAF.

For today’s businesses the use of software is not a choice; however the methods chosen to improve software security and, in turn, the costs involved and the benefits achieved are. Using the right mix of approaches at all stages of the software development, procurement and deployment life cycle will improve the efficiency, reliability, security, compliance and competitiveness of business processes.

Quocirca’s report “Outsourcing the problem of software security” is freely available here.

A Quocirca online webinar on this topic will be available from March 16th 2012 here.

Bob Tarzey, Analyst and Director, Quocirca

If you are trying to compromise an organisation’s IT systems in some way, then you need to have access. Getting a given user’s log-in details is a starting point but might not get you that far, unless they are a user with privilege. Privileged users have much wider ranging access than “normal” users, often far more than they need. Privileged user accounts are therefore of great interest to hackers.

A responsible system administrator (sys-admin) should at least have a strong password and keep it secret. However, it is clear from recent Quocirca’s research that there are likely to be plenty of privileged user accounts out there that are not even associated with active sys-admins, let alone responsible ones.

They fall into two categories:

1. Default accounts supplied with software may be left in place; 58% of organisations confirmed that they did not have full control over the management of such accounts.

2. Accounts left in place when a privileged user leaves an organisation or moves to a position that no longer require privileged access; 54% of organisation admitted they did not fully control the removal of such accounts

Default privileged user accounts can be searched for and closed down. Ensuring privileges are removed from users that are no longer needed can either be controlled by making the allocation of privileges an extension of standard identity and access management, or by granting all privileges on an “as needs” basis for a limited period of time through the use of password vaults.

This is not just an issue with regard to external hackers. Ask the French Bank Société Générale; the rogue trader Jérôme Kerviel, who lost it €4.9 billion, perpetrated his fraud and covered his actions for a couple of years because of privileged user access that he had been granted to carry out a previous IT administrator related job, which had not been revoked when he moved to the trading floor.

To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here.

Bob Tarzey – Analyst and Director, Quocirca.



 

In recent Quocirca research, businesses report that on average their system administrators (sys-admins) make errors carrying out about 6% of tasks. This might not sound much, but actually it adds up to quite a big number.

If system administrators carry out an average of 10 tasks per day, or 50 per working week, that is 3 errors per week or, around 150 per year. And remember, these are errors under privilege. “Normal” users may accidentally delete a file or send an email to the wrong recipient. Privileged users may be reformatting a disk drive or writing new rules for a firewall. Here errors may lead to lost data, major security vulnerabilities or inconvenienced users who can no longer access systems they need to do their job.

The degree to which errors are made varies from one organisation to the next; the research shows industrial organisations to have the highest error rate and retail ones the lowest. This may be because industrial organisation deal with less regulated data, but they are still vulnerable to system outages caused by errors.

Making the task of identifying target devices requiring maintenance easier and getting system administrators to confirm the identity of devices and their intended actions before carrying them out can mitigate the problem and reduce overall error rates.

To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here.

Bob Tarzey, Analyst and Director, Quocirca