There's a Bounty on Your Applications

Anthony Haywood
At Idappcom, we'd argue that certain security schemes are nothing short of a publicity stunt and, in fact, can be potentially dangerous to an end user's security.

One concern is that, by inviting hackers to trawl all over a new application prior to its launch, you grant them more time to interrogate it and identify weaknesses that they may decide are more valuable if kept to themselves. Once the first big announcement is made detailing who has purchased the application, and where and when the product is to go live, the hacker can use this insight to breach the system and steal the corporate jewels.

A further worry is that, while on the surface it may seem that these companies are being open and honest, if a serious security flaw were identified would they raise the alarm and warn people? It's my belief that they'd fix it quietly, release a patch and hope no one hears about it. The hacker would happily claim the reward, promise a vow of silence and then "sell" the details on the black market leaving any user, while the patch is being developed or if they fail to install the update, with a great big security void in their defenses just waiting to be exploited.

Sometimes it's not even a flaw in the software that can cause problems. If an attack is launched against the application, causing it to fail and reboot, then this denial of service (DOS) attack can be just as costly to your organization as if the application were breached and data stolen.

A final word of warning is that, even if the application isn't hacked today, it doesn't mean that tomorrow they're not going to be able to breach it. Windows Vista is one such example. Microsoft originally hailed it as the most secure operating system it had ever made and we all know what happened next.

A Proactive Approach to Security

IT's never infallible and, for this reason, penetration testing is often heralded as the hero of the hour. That said, technology has moved on and, while still valid in certain circumstances, historical penetration testing techniques are often limited in their effectiveness. Let me explain: A traditional test is executed from outside the network perimeter with the tester seeking applications to attack. However, as these assaults are all from a single IP address, intelligent security software will recognize this behavior as the IP doesn't change. Within the first two or three attempts the source address is blacklisted or firewalled and all subsequent traffic is immaterial as all activities are seen and treated as malicious.

An Intelligent Proactive Approach to Security

There isn't one single piece of advice that is the answer to all of your prayers. Instead, you need two and both need to be conducted simultaneously if your network is to perform in perfect harmony. The two pieces of advice are to combine application testing with intrusion detection.


The reason I advocate application testing is that if you have an application that's public-facing and it was compromised, the financial impact to the organization could potentially be fatal. There are technologies available that can test your device or application with a barrage of millions upon millions of iterations, using different broken or mutated protocols and techniques, in an effort to crash the system. If a hacker were to do this, and cause it to fall over or reboot, this denial of service could be at best embarrassing, but at worst detrimental to your organization.

Intrusion detection, capable of spotting zero-day exploits, must be deployed to audit and test the recognition and response capabilities of your corporate security defenses. It will substantiate that not only is the network security deployed and configured correctly, but that it's capable of protecting the application that you're about to make live or have already launched irrespective of what the service it supports is-be it e-mail, a Web service, anything. The device looks for characteristics in behavior to determine if an incoming request to the product or service is likely to be good and valid, or if it's indicative of malicious behavior. This provides not only reassurance, but all-important proof, that the network security is capable of identifying and mitigating the latest threats and security evasion techniques.

My best advice would be that, instead of relying on others to keep you informed of vulnerabilities in your applications, you must regularly inspect your defenses to make sure they're standing strong. If you don't, the bounty may as well be on your head.
 



Add Comment      Leave a comment on this blog post
Jun 7, 2011 7:06 AM Office 2007 Office 2007  says:
The device looks for characteristics in behavior to determine if an incoming request to the product or service is likely to be good and valid, or if it�s indicative of malicious behavior. This provides not only reassurance, but all-important proof, that the network security is capable of identifying and mitigating the latest threats and security evasion techniques. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data