|
Working Smarter: A Sensible Way to Review Web App Security
Despite object-oriented code and reusable modules, many IT organizations have chosen to live with avoidable vulnerabilities.
by Brad C. Johnson
Posted November 13, 2003
Business-critical Web applications are becoming ubiquitous. Unfortunately, exposure to vulnerabilities in these business transaction sites has become one of the highest security risks on the Internet today. Why is that? Simply, the need for rapid development and deployment of Web-based business functionality has caused many organizations to put aside their time-tested application design and development methodologies used in pre-Internet environments. The result is a high percentage of business applications being deployed on the Internet before they have been scrutinized for security-related issues. This affords hackers and other determined intruders ample opportunity to access or even compromise sensitive information within the enterprise's systems. Clearly, an efficient and effective security code review methodology is needed to compensate for the control deficiencies in today's typical Web application development process.
Web Application Development Problems
The rapid deployment of business applications in general, and Web-based applications in particular, has come at the price of using these applications before IT staffs properly test or secure them. Most development organizations have their hands full just trying to perform function, unit, and feature testing. They are often frustrated because they don't have the time to put their applications through the rigors of an assessment focused on finding and resolving security-related problems.
Security, thankfully, has become an important aspect of sound business practice, and most organizations understand the need to be proactive and review their policies, procedures, and applications to help prevent security breaches. To really understand the overall security and business risk, one needs to consider several different aspects of the environment (for example, networks, hosts, software infrastructure, and applications). There are a variety of techniques that are commonly used to assess these areas, including conducting penetration analysis, hardening and scanning hosts and networks, running exploit tools, and performing third-party security assessments of applications.
For any Web-based application, however, there is no substitute for a hands-on review of the actual source code. The problem lies in the fact that with object-oriented code, reusable modules, outsourced development, and the time pressures of the marketplace, organizations deploy these often-huge code bases without a qualified review of the key features and functions that a hacker might subvert to gain direct access to enterprise data or systems. This is an increasing danger with the growth of Internet connections deep into enterprise systems, which feeds the shared use of data with other servers, applications, and databases throughout businesses today.
Obviously, there needs to be some type of code review process. A thorough evaluation of every line of code would be helpful but is usually an impractical option. Unfortunately, most organizations can't afford the time and money required for a line-by-line code review, and because they are unaware of viable alternative approaches they perform no code review.
What is the Problem?
The typical business application is the result of a long and complex process: architecture, design, implementation, functional testing, quality assurance testing, production deployment, ongoing maintenance, and functional enhancement.
During the past 10 years, we have seen a significant increase in the need for security-oriented code reviews of business applications. The main reason for this is simple. The time-to-market competitive pressure to introduce enhanced functionality in the fast-paced Web world is compressing the development cycle. As a result, security issues are often unrecognized, ignored, or are expected to be addressed after the application has already gone into production.
A lack of security skills in organizations compounds this problem. Most business application developers are hired because of their skills in design, implementation, and testing of specific programming languages—not in writing secure code. Therefore, many of these applications have a myriad of inherent security flaws that make them vulnerable when deployed in an intranet, extranet, or Internet environment. Significant benefit can be gained by identifying these problems before you release the applications into production.
Back to top
|