Securing Web Applications

I D C V E N D O R S P O T L I G H T Securing Web Applications: The Time Is Now July 2006 Adapted from Worldwide Security and Vulnerability Management Software 2005–2009 Forecast and Analysis: Taking Control of the Security Environment by Charles J. Kolodgy and Rose Ryan, IDC #34604 Sponsored by Cenzic Not long ago, Web application security was the least of an IT professional's worries. Times have changed. The combination of improved network defenses, hackers motivated by profit not notoriety, expanded deployment of Web-based business applications, increased value of Web-based ecommerce transactions, availability of critical data using Web technology, and heightened regulatory requirements makes Web application security a top consideration. Enterprises understand the need to improve security in this area and have deployed various security products (including Web application firewalls, Web single sign-on, and encryption) to defend against Web application attacks. However, most solutions deal with the symptoms but don't get to the root cause — insecurities inherent in Web applications. Enterprises need to look at the application software if they want to vastly improve Web application security. Specifically, enterprises need to utilize software testing that can automatically review applications for security problems. This document examines the market drivers and technology associated with software security code review products and discusses how Cenzic is addressing this urgent need. Introduction: Web Is Driving Force for Business It's no secret that IT is an integral component of the business environment. In IDC surveys of business executives, over 80% of the respondents indicate that IT performance is critical or important to business success. Those same surveys illustrate that executives want to focus on key applications to meet their customer needs. IT is to be used to create more business value and to increase the number of high-value transactions. The Internet is a key avenue of interaction with customers. Web applications and ecommerce are today's storefronts. For many businesses, especially small ones, a Web presence becomes the "I exist" statement. A Web site can be the great equalizer, allowing a small business to look and feel like a larger business. Nearly 80% of all businesses with Web access have public Web sites, and many of those businesses are engaged in ecommerce, taking orders and accepting credit cards online. A corporate Web site transforms the landscape in which applications are used, from an environment of limited access to one providing wide-open, 24 x 7 admission. Today's Web sites are no longer static, informational electronic brochures; instead, they are multifeatured and dynamic showcases. They offer multiple functions, such as customer support, special content for registered visitors, and online ordering. Web pages are no longer written by hand; rather, they are generated and customized based on users' requests. The Web application front end receives input from the client-side browser and responds to the requests by returning dynamic Web pages based on user input as well as back-end databases. These complex Web applications — now comprising Web servers, interface code, front- and back-end applications, and databases — are the gateway to business success. But they also are fraught with danger. IDC 490 "But People Are Supposed to Come In" The growth and proliferation of the dynamic Web create a conundrum for companies. Web applications are designed to make customers and partners visit and interact with Web sites. They use Web applications to buy products, interact with companies, gather valuable information, and enable many other critical business processes. Use of this technology greatly enhances business opportunities. On the other hand, the openness of Web applications offers attackers an avenue to access critical back-end databases not otherwise reachable from the outside. The threat to Web applications is heightened because attackers are no longer just mischievous; instead, they are motivated by profit. Today's attackers are out to steal something, be it money, corporate secrets, or user data. This changing threat environment raises the stakes and makes Web application security an imperative. The problem is that although security generally is thought of as something that prohibits, companies need people to visit and interact with their Web sites. This situation makes it more difficult to lock down Web sites. To protect Web-based applications, enterprises are addressing the security symptoms by installing application firewalls, utilizing Web-based authentication and authorization, encryption, and patching commercial software. Like any in-depth defense strategy, these mechanisms are important, but in a Web environment, they don't get to the root of the problem: the dynamic capabilities of Web applications and the basic design and actual implementation of the code. Given that interactive Web applications are executed based on arbitrary data sent by a user, the danger exists that malicious commands will be directed through scripts. Many Web application attacks are based on a malicious user's ability to pass improper input, such as URL manipulation, session hijacking, cookie poisoning, buffer overflows, SQL injection, forceful browsing, and other methods, which is processed outside the design intentions of the system. Many of these attacks will not be stopped or detected by firewalls or intrusion detection systems. It's critical that only input in a format the application expects and can process be accepted and executed. As Web applications become more complex and automated, there's a greater probability that the application will have inherent security flaws waiting to be exploited. IT professionals are already aware of this problem. According to IDC's Enterprise Security Surveys from 2004 and 2005, nearly one in five of all respondents reported having been subjected to an exploit through a flaw in a Web application. When only very large enterprises are considered, that number jumps to one in four. This number in all probability is higher because many smaller enterprises either don't like to admit attacks or are not aware that attacks might have taken place. IDC believes the problem is either that Web applications are rarely developed with security in mind or that security is an aspect that is overlooked because of go-to-market pressures. Even in companies with the best of intentions, application security often suffers because developers don't have strong security training, quality assurance methods may not concentrate on security functionality, and hurried development schedules could reduce the amount of testing performed. One of the weaknesses is the insufficient usage of automated security code vulnerability and testing solutions. Regulatory Monkey Wrench In addition to the problems addressed earlier in the document, regulatory compliance is another critical consideration in regard to Web applications. Over the past few years, there has been considerable government emphasis on the protection of personal information. Both the GrammLeach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) require that personal information, such as social security and credit card numbers, be protected. Other regulations, such as California SB 1386, require notification when protected personal information is disclosed to those without legitimate access. Given that much of that data resides in the same 2 ©2006 IDC databases that can be accessed via a Web application, protection of that data per corporate policies must be validated. Additionally, the Federal Trade Commission has fined companies that, due to a hack or other security breach, violated their stated privacy policies. This environment makes it doubly imperative that organizations secure their Web applications. Start at the Beginning The root of security vulnerabilities ultimately resides within applications exploited by attackers. Thousands of new software vulnerabilities are discovered each year. In 2005, the CERT Coordination Center (CERT/CC) reported nearly 6,000 vulnerabilities. This number is 50% higher than the average of nearly 4,000 vulnerabilities reported between 2002 and 2004. As daunting as these statistics appear, they do not keep security professionals awake at night. That special worry is reserved for the unknown vulnerability in both commercial and custom software. People understand that what they don't know is the greater threat because it's more difficult and unsettling to defend against an unknown than a certain vulnerability. To provide the required security and regulatory requirements in a world of proliferating software vulnerabilities made more dangerous by a dynamic Web application environment, solutions must far exceed what can be offered with traditional security applications. IDC believes the best way to deal with the totality of software and application security is to complement perimeter security barriers with a software development life cycle that includes security testing of the inner workings of applications. This approach covers all applications, but it is particularly critical for Web applications because of their outward focus. Most people understand the need to perform functional testing to ensure that applications provide the services expected, but often overlooked is testing to ensure that applications do not include unintended operations, many of which become security vulnerabilities. This testing is more critical in Web applications because of the way they receive and process unstructured user commands. The Web application has no control on user input, only on the output. A key to security testing of software is to uncover unexpected, unintended, undocumented, or unknown functionality. Security testing tools alone do not make software secure, but as part of a software security program, they do help reduce the attack surface. On top of reducing risk of security breaches and improving policy/regulatory compliance capabilities, improving software security will impart considerable additional benefits. Maintaining software will be less expensive because more secure code should be more reliable, thus reducing patching and production system downtime. In the long run, software development times will improve because of the knowledge gained during testing and implementation of best practices. All this is especially true the earlier in the development cycle that companies use the tools. Errors are much easier and much less costly to repair earlier in the process. Enterprises can address Web application security testing in four ways: 1. Use in-house manual reviews 2. Hire a service to manually review the application and provide a report of security issues 3. Purchase a testing tool, which they utilize for their own testing and remediation 4. Take a hybrid approach by using a service that will host an automated security scanner (i.e., offer software as a service [SaaS] or a managed service) ©2006 IDC 3 The latter three approaches have their merits, but IDC believes that using application security testing software (either in-house or delivered as SaaS) allows for a repeatable process. Enterprises can test more often, scale to cover many applications, save costs associated with a professional service, and integrate the use of the tools into their software development life cycles. Many tools are available in the market, but IDC believes that enterprises should look for Web application code testing products that have the following characteristics: ! Support for commercial and custom applications. Products should provide full support for commercial off-the-shelf (COTS) as well as custom and proprietary applications. Solutions must be able to both handle published vulnerabilities using a signature database and provide test attacks that can be applied toward all applications. Comprehensive attack library. A comprehensive attack library spans all critical categories, not just the basic coverage that typically includes buffer overflow, cross-site scripting (XSS), and SQL injection. Additional critical tests should include session hijacking, session ID randomness, authentication bypass, and many other application logic tests such as checking for weak passwords, social security number exposure, and others. Full software life-cycle support. Companies should look for a suite of tools, or preferably one product, that addresses the entire software life cycle (development, quality assurance, production). This means the testing can look at the underlying application code and at the deployed application. Attack simulation. Tools need to be able to duplicate how an attacker would attempt to penetrate the applications. This category also can be referred to as penetration testing, dynamic testing, and black-box testing. Low false positives. It's critical that tools accurately call out vulnerabilities. Too many "ghosts" or false alarms greatly reduce the cost and time savings associated with the tools and may mean real vulnerabilities are overlooked. Ability to identify specific error location. Black-box testing solutions should be able to show the appropriate URLs where the vulnerability is found. Remediation advice. The solutions should provide remediation information on how to fix the software to remove or reduce the vulnerability. Detailed information and remediation advice add the benefit of educating developers on secure coding practices. Policy and regulatory checks. Security isn't the only consideration; therefore, the products need to be able to check the application to see if it adheres to specific policies and regulatory requirements. Measurement tools. Without the ability to measure and monitor the progress of testing, companies can't determine if you are winning or losing the battle. Multiple delivery methods. The delivery of the tool should be flexible to meet most customer needs. In most cases, the product(s) can be delivered as software or as a service (generally considered SaaS). ! ! ! ! ! ! ! ! ! 4 ©2006 IDC Application Vulnerability Assessment Market Although application vulnerability assessment is a relatively new software market, IDC believes that dedicated Web application security scanning will become a component of a complete Web application security program. IDC has sized and forecast the application vulnerability assessment and penetration testing market, which includes products that are specifically designed to test the robustness of an application to resist both specific attacks and attacks based on hacking techniques. Application scanners avoid doing general vulnerability checks, such as port scans or patch checks, to concentrate on vulnerabilities associated with direct interaction with applications. Application scanners include those that look at deployed applications and those that can review source code. Table 1 provides the forecast for the application vulnerability assessment software market. Although this market was less than $50 million in 2004, IDC believes it will more than triple to $145.3 million by 2009. The total addressable market is much larger if application security assessment and penetration testing services are included in the numbers. The next step in this evolution is to utilize vulnerability discovery testing throughout the software development life cycle so that vulnerabilities can be eliminated before a program becomes operational. Organizations will demand software that is less vulnerable to attack; thus, application-level security needs to be a fundamental component for software development and quality assurance. With that in mind, organizations should begin looking at the products in this space and prepare to budget for application vulnerability assessment and penetration testing tools. T ABLE 1 Application Vulnerability Assessment Software, 2004–2009 ($M) 2004 Application vulnerability assessment software Source: IDC, 2006 2005 61.4 2006 78.5 2007 99.3 2008 121.1 2009 145.3 CAGR (%) 25.4 46.8 Considering Cenzic Cenzic, founded in 2000 and headquartered in Santa Clara, California, provides automated application security assessment and compliance products and services to help enterprises secure commercial and custom Web applications. The company offers next-generation enterprise software as well as SaaS for automating application security assessment and compliance. These products and services allow Fortune 1000 corporations, midsize corporations, and government organizations to dramatically improve the security of their Web applications. Cenzic uses a nonsignature-based approach called Stateful Assessment™, which emulates a hacker and looks for real-time responses at the browser level. This approach has helped Cenzic provide a very accurate solution with less than 1% false positives. ©2006 IDC 5 The company provides the following products and services: ! Cenzic Hailstorm® enables security experts, quality assurance professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities. Hailstorm benefits include reduced security risk and liability, lower development and testing costs, and faster time to market. Leveraging its unique technology, Hailstorm provides coverage over a wide variety of attacks that go beyond standard attack methods. Hailstorm is well suited to perform application logic tests, session management attacks, and regulatory compliance tests for PCI, GLBA, HIPAA, SB 1386, AB 1950, and others. Hailstorm's Stateful Assessment approach is well suited to test both commercial and custom applications. Cenzic ClickToSecure™ service is a SaaS offering that combines the functionality of an enterprise-class application security assessment product with the flexibility of a managed security service. Cenzic takes its managed service seriously and takes extra steps to ensure that customers feel comfortable in outsourcing their application security testing to Cenzic. Some of these special considerations include comprehensive employee background checks, secure infrastructure with full data protection, automated tests combined with analysis from security consultants, and free retest for fixed vulnerabilities. Cenzic Assessment Methodology completes the solution with a state-of-the-art business process consulting service to help customers improve their application security methodologies. Cenzic's current focus includes financial services, eretail, healthcare, high-tech, and government sectors. ! ! Challenges and Opportunities The need for Web application security is very compelling, but there are still considerable challenges in reaching this market. The foremost issue is that many organizations have not budgeted for application security testing. Because much of the spending associated with software comes out of information security, software development, and quality assurance departments, it is sometimes difficult to find a buyer for the software. Another challenge for this market is that many companies have not included security within their software development life cycles. The best way to confront both challenges is with education and awareness. There are considerable efforts within the industry and from organizational groups to raise awareness about the need for Web application security. These efforts, along with increasing fear of regulatory compliance violations for poor Web site protection, should lead to increasing funding levels. One way Cenzic is addressing these challenges head-on is by making it easy for organizations to purchase Hailstorm. The company sells the product as a whole; that is, it doesn't break the product into pieces to cover the different software life-cycle segments. Cenzic isn't concerned with whether the product is used in development or production or for compliance validation. The company also offers flexible pricing models with user-based or application-based pricing depending on customers' needs. This pricing simplicity makes it easier for users to purchase and use the product without worrying about the licensing method under which the product was purchased. The ClickToSecure service also provides customers with buying flexibility. Many companies are interested in outsourcing their testing to a solid vendor because they can realize a lower total cost of ownership (TCO) and because they lack in-house security expertise. Cenzic ClickToSecure is appealing for many companies because of its comprehensive reports, including detailed analysis from its security experts. Additionally, customers have an option to migrate to the software at any point, with all of their jobs saved in the product. 6 ©2006 IDC Conclusion No one can dispute the power of Web applications to improve business processes and to offer expanded opportunities to service customers, business partners, and employees. The dynamic nature of Web applications offers users unique experiences. However, the dark side of this technology is that if it is improperly implemented, people with malicious intent can turn it against the enterprise to cause considerable damage to a company's bottom line and reputation. Nearly one in five businesses, both large and small, report that hackers have exploited flaws in Web applications. To protect themselves, enterprises have turned to many different security technologies that front-end the Web applications. This approach is necessary, but IDC believes that the key to a complete Web application security program is Web application code security testing. Enterprises need to implement security controls within their software development life cycles so that vulnerabilities can be eliminated before a program becomes operational. In the long run, this approach has security benefits, but it also improves software quality and thus reduces the number of patches and modifications required. IDC believes that organizations need to begin implementing Web application software development life-cycle programs and should investigate the available solutions in this space and budget for such products. There's too much at stake for enterprises to take a cavalier attitude toward Web application security. When evaluating application vulnerability assessment and penetration testing tools, enterprises must select solutions, such as Cenzic Hailstorm or Cenzic ClickToSecure, which integrate with the software development life cycle and accurately discover known attacks but also have the capability to understand the inner workings of the Web applications to uncover unknown attacks. This way, enterprises can handle both security and policy compliance issues while benefiting from multiple delivery capabilities. A B O U T T H I S P U B L I C A T I O N This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests contact the GMS information line at 508-988-7610 or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC. For more information on IDC visit www.idc.com. For more information on IDC GMS visit www.idc.com/gms. Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com ©2006 IDC 7