Application Security Matters

How often do you sit down and review the code that developers are writing in your organisation? How tightly is code security integrated into your overall security strategy?

Let’s be honest, most non-development IT professionals run a mile when faced with application development as it is such an alien process to many.

Significant effort has been put into securing data by IT professionals using encryption and data loss prevention technologies alongside anti-malware and attack prevention methods. Whilst it is now possible to reasonably secure these areas, line of business applications still remain vulnerable to security exploits due to poor or malicious software code.

Ensuring that code is written securely is a difficult job. Applications need to be secured during the software development process and code security reviews should now form part of the checks development teams take during the daily build.

Legislation and regulations are also catching up with the need to ensure application security and some standards, such as PCI DSS, the Payment Card Industry Data Security Standards, explicitly demand that software code security checks take place.
The increasing demand to cut IT costs has lead to outsourced software developments, often to partners that have not been audited by the customer. In many instances this outsourced model is hidden by using a local prime contractor who inturn sub contracts work to organisations, some of which the original customer would probably be unhappy with and often residing overseas.

The opportunities for hackers to deliberately create code “back doors” and the like could be numerous and tempting. Although little evidence suggests this is a prevalent problem undoubtedly it is an area being explored by more sophisticated criminals thwarted by traditional IT security measures.

Even if the problem in the code is not created deliberately mistakes due to sloppy programming can escalate dramatically – buffer overflows and SQL injection anyone? Most application security products have the following features;

• Central knowledgebase/database that contains details of known code security issues
• Management environment used to build and configure security policies and initiate code scanning routines
• Integrated Development Environment (IDE) plug-in that provides a security package to an existing developer’s coding environment and defect tracking tool
• Reporting application that returns statistics to development managers about the quality of the applications being created and the significance of any issues found

Application security auditing is a complex task. Vendors take different approaches to reviewing code, some will undertake a review of the source code whilst others will review the executable code. Contextual awareness is vital, as a function call may seem innocent in one setting but create havoc in another. More advanced solutions will offer pertinent explanations to developers why specific code is problematic and may offer work arounds or links to other useful resources. Unfortunately full automatic fixing of problems is still outside the scope of current products due to the complex nature of computer programming. That said, many vendors are working on this silver bullet and the chances are that one day it may be possible.

What is an IT Professional to do?

The first objective must be to understand the nature of the problem. Even if you don’t have an internal development function you may purchase software developed by third parties. Getting to grips with the issue, taking time to review software code and having application security checks as part of your overall security posture is a pretty good place to start.