Securing a vulnerable Web

By Judith Lamont

Concerns about cyberterror and homeland security have created a new urgency in protecting cyberspace and the associated business activities it supports. Few Internet technologies illustrate the tension between open communication and security better than Web services. Designed to allow different applications to interact with each other, Web services must be flexible enough to allow accessibility, but secure enough to prevent compromise among the applications. Without such security, it is difficult to convince potential partners to share information or processes. In fact, many Web services have been developed but are in a holding pattern, not yet deployed because of security concerns.

Simple Object Access Protocol (SOAP) enables Web services by allowing developers to write applications that span multiple platforms. However, because SOAP is carried by HTTP, the base protocol for the Internet, all of the vulnerabilities of HTTP go along with it. Like the Internet itself, SOAP was designed for functionality rather than security. Its inherent flexibility also has the effect of making applications more vulnerable. For example, a command can be injected into a legitimate communication with a database, causing it to bypass authentication screening and enabling unauthorized transfer of money between accounts. Firewalls and network intrusion detection systems, although they are important components of security, do not offer adequate protection for applications that support Web services.

Increasing attention is therefore being focused on protecting the Web application layer. ScanDo from KaVaDo emulates an Internet user’s actions to conduct vulnerability assessments on multiple applications, including those that utilize Web services technology. For example, it can identify default services that may pose a security threat to the enterprise. Once identified, default services that may not have a task assigned can typically be shut down to avoid these risks.

“Network administrators are often afraid that if they disable a service that is on by default,” says Yuval Ben-Itzhak, CTO and co-founder of KaVaDo, “the system may not keep running.” ScanDo also can detect a large number of flaws in the business logic of applications, such as whether they can be manipulated by injecting additional symbols into the code. “When applications are not well designed,” Ben-Itzhak adds, “they can be made to misbehave rather easily.”

Once the vulnerabilities are detected, KaVaDo’s InterDo can be used to protect the application layer with techniques such as securing the HTTP carrier protocol, eliminating dictionary manipulations that allow misuse of XML namespaces, validating the message structure and parameter values, and preventing traffic from flowing through default services. It monitors data that flows among applications to protect the business logic by validating requests before they go to the back-end infrastructure. After blocking a threat, InterDo then sends an alert about the attack and creates a log of the incident.

Ben-Itzhak notes that some vulnerabilities are rooted in the fundamental design of the applications. He believes that improvement should begin with a greater emphasis on security when developers first learn their craft.

“Developers are well-trained to provide functionality,” he says, “but less so on security.” He adds that anticipating vulnerabilities can be difficult, because some arise not from a single aspect of a program but from a combination of factors. Therefore, a sophisticated understanding of security is required, which can best be achieved by integrating the topic fully into the developers’ coursework rather than treating it as a side issue.

A range of other products and features have been introduced to enhance application security. Application Security Inc. provides a line of products that address security for Oracle, Sybase, Microsoft) SQL, IBM’s DB2, and Lotus Domino. Its AppDetective series provides application-specific vulnerability testing, and the DbEncrypt line offers encryption at the row and column level to ensure appropriate access.

Verity K2 Enterprise software offers document-level security so that when a user conducts a search, the results show only those documents to which he or she has access. Verity K2 Enterprise was deployed in 2001 on the U.S. Air Force portal, “MyAirForce," which connects nearly 30,000 legacy systems and 1,500 Air Force Web sites and intranets around the world. Users of the portal see a set of search results that is based on their role and access authorization.

In December 2002, Open Text became the first company to obtain a new security certification under the Department of Defense 5015.2 requirements for its records management solution, which is integrated with its knowledge management and content management capabilities. Open Text software can apply records management schedules to collaborative objects such as discussions and meetings held with Open Text’s Livelink, to create a consolidated view of all records pertaining to a certain project. The new certification allows the use of Open Text for management of classified records.

People plus technology

When an application is developed, two groups usually have significant input into security—those who build the business rules that determine access, and those who safeguard the infrastructure. Sometimes the interactions between those two groups with respect to security are not constructive. One way to improve the synergy is to assign someone early in the development process to be responsible for security in the application. That approach is recommended by J. Michael Gibbons, senior manager at BearingPoint, an IT consulting firm .

“The individual should carry security through the entire effort so that it is not addressed as an afterthought, but as an integral part of the application,” Gibbons advises. “This can prevent a lot of finger-pointing between the two camps.”

Automated tools for detecting infrastructure vulnerabilities, according to Gibbons, are mature and effective. However, he believes that automated tools for application security are still emerging. He advises that a human expert go through the code, particularly when several applications are working together.

“When more security standards for applications have been established, this kind of review will be much easier and more amenable to automation,” says Gibbons, “but we are not there yet.”

Gibbons, who was previously a cybercrime investigator for the FBI, believes that the most challenging aspect of homeland security relative to the nation’s IT infrastructure is complexity.

“We have a tremendous number of different legacy systems that need to exchange information and few tools to act as the intelligent broker in the middle,” he says. “This will take a great deal of integration to solve, and poses significant security concerns as well.”

Security umbrella

Even as some security initiatives focus on specific sectors such as applications, others are taking a broader view of the security environment. Security event management (SEM) software products integrate inputs from a variety of different systems and determine whether an alert represents a true threat (see “Computer Security Meets KM: Knowing When to Worry,” KMWorld, July/August 2002). Particularly for homeland security, however, a fully integrated view should include not only IT security but also physical security.