In the current world of cloud and agile development, we deliver code monthly, weekly and even daily. One of my engineering teams at IBM affectionately refers to updates as the “daily dose.” We have developed robust processes to ensure that these updates are seamless and impact production minimally.
But one of the major challenges is ensuring that security vulnerabilities don’t creep into the process. Application-layer protection is difficult at DevOps speed. It’s physically impossible to perform penetration testing on every daily update. Much to our chagrin, customer penetration tests have found security vulnerabilities even in our carefully managed code because the application security tooling and processes didn’t keep pace with the demands of rapid development.
The Key Under the Mat
Sound familiar? We’re all under pressure today to put as many services online as quickly as possible to meet customers’ demands for convenience, speed and ubiquitous access to data and systems. But in the process, we may putting bars on the windows and deadbolts on the door while leaving a key under the mat. The ongoing need to deliver capabilities faster and adopt agile methodologies like DevOps threatens to greatly increase our exposure to application security vulnerabilities.
Yet application security commands a curiously low level of investment by IT organizations. The SANS Institute’s recent “IT Security Spending Trends” survey named application security just the 14th-highest spending priority related to IT security, behind such categories as network security and email protection. This is despite the fact that applications typically interact directly with the back-end database and account for 32 percent of security compromises, according to the Ponemon Institute’s “State of Application Security Risk Management Report,” ahead of network, human negligence and data.
Inside the organization, our applications are protected by firewalls, authentication servers and VPNs. Once we put them on the web, however, we essentially lay out a welcome mat. Attackers can enter through the front door via ports 80 and 443 to launch their anonymous cross-site scripting or SQL injection attacks with impunity.
Startling Numbers
The Open Web Application Security Project (OWASP) estimated that about one-third of web applications contain security vulnerabilities. WhiteHatSecurity’s “2015 Website Security Statistics Report” put the figure much higher at 86 percent. Application-layer protection is the solution to these problems.
Injection attacks top the OWASP vulnerability list. The video demonstration below by Warren Moynihan, a member of the Ethical Hacking Team at IBM Security Systems, shows how easy it is for an intruder to launch an injection attack on a banking application. Legacy applications, such as those used by banks, are particularly prone to compromise. But in the consumer banking world, if you’re not online, you’re out of business.
Why the Paradox?
Application-layer protection is often a low priority for IT organizations, despite the magnitude of the threat, for several reasons. For one thing, the concept is difficult to understand. It’s easy to wrap your mind around the idea of putting walls around the enterprise, but session management and cross-site scripting attacks are more difficult to understand, much less defend against.
The second reason is organizational. Developers are taught to code quickly and efficiently, but not necessarily securely. In fact, many developers view security as an unnecessary nuisance, something that is someone else’s responsibility. Injection attacks bypass the application entirely and compromise the database, introducing yet another level of organizational complexity. Application-level security thus becomes an orphan that nobody wants to own.
Additionally, we are all trying too hard to rush applications out the door. With DevOps gaining favor for its many productivity and speed benefits, businesses are sacrificing protection for the sake of production. That makes sense behind the firewall, but on the public web it’s a recipe for disaster. And the pressure to roll out applications faster is growing even more intense.
Simplifying Application-Layer Protection
One solution is inline applications scanning. This makes application-layer protection a simple step in the development process rather than an arduous chore. There are also solutions designed specifically for cloud applications that integrate into your DevOps tooling infrastructure.
As vendors, we owe it to our customers to take application security to heart. Our experience with customer penetration testing may have been a bit embarrassing, but it taught us a lesson that we won’t forget anytime soon — to integrate security scanning as part of our rapid development processes.
VP of Development, IBM Security