Ground up

As the volume of web-facing applications continues to swell, many companies are starting to ask questions of the security procedures currently in place. Adrian Bridgwater examines the approaches available to regional enterprises.

Back in the 1960s defending applications wasn't much of a concern, but then neither was widespread usage of computing. It wasn't until the 1970s that the first hint of malicious technology reared its head in the shape of the ‘Creeper' virus on what is regarded as the forerunner of the internet, a system known as ARPANET.

Fast-forward to the 80s and 90s and we all know the story. Anti-virus manufacturers played a constant catch up game with hobbyist so-called ‘script kiddies' doing it for fun - and more professional organised operations that would eventually evolve into the credit card scams and ‘phishing' that we are all familiar with today.

 

A new world of worry

In 2008, it's not just the security of our data and the ‘robustness' of our applications in the face of viral attacks that is a concern. The functionality of web-facing applications means that there is a multiplicity of new channels open to potential crooks and wrongdoers.

Couple this with the fact that many of the applications themselves now reside on the internet itself as ‘rich' web applications and it becomes evident that a significant security refresh may be called for.

Software code reviews and web application firewalls (WAF) have, until now, been widely regarded as relatively thorough security provisioning for web-facing enterprise applications.

But the internet now plays a more fundamental and more embedded element in the very fabric of modern businesses - in the Middle East as elsewhere.

As such, the way companies expose corporate data on the internet should be treated with as much care as the way they password protect the employee payroll register. Right now, the door to the corporate data bank is wide open, until somebody shuts it.

Enterprises deploying web applications cannot rely on code being secure. This is down to a mix of reasons, but primarily it's probably a general lack of knowledge of comprehensive, application-level attack techniques paired with the reality that secure coding is complex, time-consuming and hence expensive," says Nigel Ashworth, technical director for the Middle East and Africa at F5 Networks.

Developers concentrate on the first priority - the application must be able to perform the task it was designed to do. This boils down to one thing - the enterprise is vulnerable.

Re-engineering is one option but that can add several months or a year onto a planned roll-out schedule as well as the additional cost involved in the process," Ashworth adds.

Companies like F5 are fond of extolling the virtues of the web application firewall to address these difficulties and achieve things like PCI (payment card industry) compliance.

Requirement 6.6 of the PCI Data Security Standard states that it must be ensured that all web-facing applications are protected against known attacks by applying either code review on custom applications by an organisation that specialises in application security or by installing an application layer firewall in front of web-facing applications.

"The PCI requirements have already had an impact on security awareness in the Middle East and will continue to so in the future. I do not see an environment that is free of vulnerabilities as we are facing very complex systems here that are always prone to contain flaws.

We will see an increase in Arabian enterprises deploying both web application firewalls and traditional network firewalls.

But for code reviews, I am more pessimistic as this is a difficult and expensive task for existing and complex applications, so I believe that many organisations will try to defer taking quick action here," said Klaus Gheri, CTO and co-founder of Phion.

People and process problems

"Being aware of the people and process' elements of security means just as much as any investment in technology. Having the right application and security technology in place will not prevent an attack being successful.

Hackers will always try to target the point of least resistance, so without proper training this can often be the company's employees," says Steve Kirrage, senior vice president, Postilion Middle East.

US-headquartered software company Postilion recently opened an office in Dubai Internet City and has been working with companies across the Middle East to address web-driven security concerns.