For malicious attackers attempting to compromise corporate IT infrastructures, the network is no longer the path of least resistance. That infamous title now belongs to applications, especially Web applications, where a simple configuration error can give an attacker direct access into a corporate database. A shortage of security practitioners with Web application security expertise only compounds the problem. However, it also offers value-added resellers (VARs) and service providers an opportunity to differentiate themselves in a commoditized network security market.
Lately I've been counseling security personnel to learn as much as they can about application layer attacks -- as soon as they can. Logic flaws, cross-site scripting, faulty cryptographic storage and another litany of potential application issues can render all of a customer's expensive and strong perimeter security useless. Yes, absolutely useless. In fact, the OWASP has published a list of the top 10 application attacks.
The problem is that application security is not a well-known discipline, so there remains a lot of confusion as to what is application security and what customers want. Complicating that factor is the reality that customers don't really know either, so the VAR as "trusted advisor" needs to counsel customers as to the right direction and areas of focus.
To understand this space, it makes sense to think of an application across a continuum of time. Simplistically, let's examine that process a bit. At the beginning of the process, the application is architected and built. No it's not that simple, but indulge me for a second. Once it's built, the application goes through a number of testing steps called Q/A (quality assurance) – basically to make sure it works. Finally, the application is deployed to the world where it must hold up to the scrutiny of bad guys that crawl out from every rock.
Application security can be applied at all stages of the systems development lifecycle (SDLC). Some larger software companies (notably Microsoft) have adopted a SECURE development lifecycle to introduce security at all stages of the process. Due to the extensive cost of changing much of anything once an application is deployed, it is generally preferable to secure the application as early in the process as possible. Clearly that requires the application developers to get on board with the idea of security – which can be problematic on a good day. VARs can provide both training services on secure coding, as well as help understanding how to use the tools. If you also offer application development, then use of a SDLC is a real differentiator.
If we look at application security from a product standpoint, the oldest and most familiar tools are Web application scanners. These are used to test a deployed application against many – but not all -- of the top threats. Teams wanting to eliminate issues within the code itself can look at Source Code Analysis (SCA), where the code is run through a product to find security holes. There are also tools for Q/A testers to look for problems like security test coverage and pinpoint exactly where the problems are in the code. VARs have a lot of room here both selling and training customers on the scanners, or potentially launching their own managed services for application scanning.
As you can see, there is a lot of area to cover to consider yourself an application security specialist, and it's only getting more complicated with the advent of new application technologies and architectures like AJAX and SOA.
The reality is that tools are only one part of the equation because a skilled human attacker can often compromise an application faster and more effectively than a set of tools by exploiting logic flaws and/or outright sloppiness in the code. Thus, the final piece of the application security puzzle is people-based services like penetration testing. As mentioned above, developing an expertise in application security can further differentiate increasingly commoditized network penetration testing. The ability to scrutinize applications, as well as networks and systems, provides a full view of the technology infrastructure that customers are looking for.
Application security is here to stay and even with the big vendors (IBM, HP, Microsoft, etc.) moving into the neighborhood, there is still a lot of real estate left for enterprising VARs that make the commitment to really understand Web applications and how they need to be secured. As long as the application is the path of least resistance and organizations keep writing new applications, there will be a significant opportunity to secure those applications.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
