The patching puzzle

Protecting multiple applications is becoming more and more difficult.

  • E-Mail
By  Eliot Beer Published  April 5, 2007

While the popular view of IT is that every application works in a silo with no interaction with any other siloed applications, the reality is rather different. Although many older applications may sit in perfect isolation, they still need to send and receive data over the network. This network is now almost certainly connected - at some point - to the wider internet; for many customer-facing organisations such as banks or online stores, the connection may be more or less direct with web applications connected to backend systems. For newer applications, designed with closer integration with third-party systems in mind, the problem is more serious - these programs may well have even more sophisticated communications channels open to the world.

While much network design is now focused on protecting the network itself, all these different applications may not be protected. It is therefore quite conceivable that within many organisations, the challenge of securing every application that connects to the network is not as high on the priority list as basic network security. Many software vendors are now much more organised when it comes to tracking and fixing flaws in their applications, but this in itself can cause headaches for IT managers: applying patches for applications distributed over a network of several hundred machines is not an enviable task.

Worse however, is that software vendors are still often slow in testing their own applications for vulnerabilities and then providing patches quickly and effectively.

This can lead to a number of potentially critical problems, according to Faisal Khan, senior Middle East security consultant at McAfee. "Perhaps the most significant issue with patch management is one that is often simply ignored," says Khan. "The entire patch process, by definition, protects enterprises only against known vulnerabilities - those which have already been discovered and disclosed by the vendor or an independent security researcher.

"Having patch levels up to date does nothing to protect against latent vulnerabilities and zero-day attacks. This is why patch management, while a crucial part of any security program, will always remain a reactive process," Khan adds.

For enterprise software, the problem is made potentially worse by the large amount of customisation that is required to ensure the solution integrates with other systems. This can lead to critical applications developing unforeseen faults, which only manifest themselves months or years later.

"A primary challenge for IT organisations is to maintain the availability of applications that depend on unreliable software," says Mathew Lodge, director of product marketing at Symantec EMEA. "Intermittent, recurring software problems that only manifest themselves in production environments are the most difficult to resolve - and the most expensive.

"Many common software errors, such as buffer overwrites and memory leaks, can cause intermittent application failure and performance degradation hours or even days before they are recognised as problems," he adds.

Symantec's approach to application security is to deploy intrusion detection and prevention on the host system, in order to stop any attacks or other malicious activity at the traffic level. It also offers systems that include security profiles for various software systems, aimed at preventing attacks specifically against those particular systems.

"For large organisations patching large numbers of machines frequently is difficult. In some specific verticals, it's impossible," explains Lodge. "One example of this is embedded Windows systems, such as those used for bank cash machines. These systems are never patched. This is why it is essential to protect these systems with host intrusion detection and prevention software. Diebold, a leading maker of cash machines, ships Symantec's Enterprise Protection product in all of its ATMs for this reason - because embedded Windows systems cannot be patched frequently."

This approach, though, illustrates one of the fundamental problems with securing large and varied application environments - if the version on your systems differs slightly, or is not sufficiently mainstream to be covered by a security package such as Symantec's, there can be problems. When looking at security in general, the user does have to consider how paranoid he needs to be about vulnerabilities in a particular system. Yes, it is true that a hacker could potentially develop and execute an attack against your one obscure database system, but how likely is this in reality?

For application security, risk assessment then becomes critical: only by having a clear idea of the risks and potential consequences for particular security breaches can organisations formulate a realistic and workable approach to security.

One example of this realistic decision making process is Dubai Holding. The company is focusing on making security very flexible and adaptive to support the agility of the organisation. For instance, it bars some user services, such as e-mail downloads to PDAs, because of the potential security risks. But it also does a comprehensive risk assessment and analysis, highlights the risk and then puts in the right infrastructure to support it and minimise the risk and mitigate any threat.

"Dubai Holding is no different than any other organisation in terms of applying security architectures," says Sabri Al-Azazi, CIO of Dubai Holding. "What is different is the dynamism; the speed of implementation has got to be there and in terms of virtualisation, that doesn't have a boundary. We apply security on the systems more than on the perimeter - there is no access control, we cannot because of the nature of Dubai Holding as a business."

For application security management, there are a number of important issues to look at when formulating the best approach. Not least of these issues is the status of an organisation's security layer - security managers will need to take a very different approach to a green-field site, compared to one with a large number of existing applications.

"In the case of a large legacy install base, there are a lot of parameters that IT managers need to look at," says Shahnawaz Sheikh, regional sales manager for MEA at SonicWall. "There needs to be a comprehensive assessment of the application to determine the robustness, vulnerabilities, scalability, ease of use and management, whether the new system integrated with legacy meets the needs of business processes or not, the user comfort and adaptability, patch management, system redundancy and contingency planning, and so on," he adds.

The necessity of application management is a part of security that can quite easily fall between the cracks of an organisation's IT security planning, depending on the structure of the IT department. If network and systems security are handled separately, then coming up with a coherent policy towards external threats to applications on the network may be difficult.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code