Customers and vendors alike are hoping that a recently approved security interoperability standard could help rationalize application security processes and provide a mechanism for rapidly adjusting to new potential threats.
Enter AVDL. Application Vulnerability Description Language is a new standard which provides a uniform way of describing security vulnerabilities found in applications. Currently focused on vulnerabilities found in HTTP applications, it will likely expand in the future to include those found in applications that leverage other protocols and services, such as e-mail
Today's security landscape
Vulnerabilities within the Web application will always exist, principally because human beings are imperfect and we build these applications. What's more, once they are built we manage and maintain them, and their environments. We are the problem.
Thus far, we have tried with limited success to resolve this problem through:
- Training for developers
- Code audit and repair
- Patch management for third- party and outsourced components
- Audit and review of existing processes and procedures
- Web security policy development and enforcement with a particular emphasis on developers and system administrators.
Additionally, we have been bombarded by new, innovative technologies designed to harden systems and monitor and react to threats. Unfortunately, many application-layer attacks leverage legitimate access and permitted interaction with the application. They flow undetected through firewalls, intrusion-detection systems (IDS), host-based IDS, and IPS. In order to provide a degree of security versus advanced application-level attacks with these products, they must be customized to such a degree that the remedy becomes worse than the disease. Limited protection against such threats typically requires painstaking configuration, monitoring and then reconfiguration of security devices on a regular basis.
Perhaps the principal challenge, therefore, is to reduce the impact on the organization in terms of risk, time and allocation of resources required to maintain control of application vulnerabilities.
The tangled Web we've weaved
Partners, competitors, vendors, employees, clients, and prospects access our Web applications. Benign or malicious, each will try to do things our developers and administrators never expected with our applications. And our applications may react in ways we could never have predicted.
Web applications are in a continuous state of change. Content is updated continuously, and the applications themselves can change from hour to hour in extreme cases. Even the underlying technology -- programming languages, application middleware, etc. -- is evolving. As opposed to alleviating the problem, the steady flood of functionality and security patches and updates from all sorts of vendors may ultimately intensify it, because a significant part of Web security also depends on consistency in the systems administration process. Maintaining homogeneous configurations across farms of servers across remote locations is a significant challenge.
As was previously alluded to, most, if not all, of the common vulnerabilities in Web applications are due to human error or omissions. As a result, security teams are frequently limited to providing "secure programming guidelines" to improve security.
Passing the buck Such guidelines all too often relegate Web security to the skills of the developer or outsourced developer. But code review and repair are resource intensive and error-prone, because the tools used may be incomplete and the resulting discoveries must still be acted upon. There may be thousands of different source code files to audit. If there were enough time to address all the discovered vulnerabilities, the cost of repairing them would probably be prohibitive. And components manufactured by a third party cannot be adequately scanned.
Developers are primarily responsible for building a given feature or functionality that works by a specific date. Rather than passing the buck in this way, it makes abundantly more sense to build vulnerability reviews into the quality assurance process. Quality code is secure code. By emphasizing quality, we ensure that developers can continue to do what is expected of them: deliver features and functionality that work, on time.
At risk: The enterprise
Increasing cybercrime has companies concerned about the privacy and financial security of their clients, employees, and partners, as well as their own. Regulations such as HIPAA, GLBA, CA SB 1386, Sarbanes Oxley, and the Patriot Act impose very costly penalties on companies for security breaches as well as notification requirements, in some cases. As a result, breaches can result in significant losses: lost current and future business, lost credibility, and significant damage to a company's brand.
Industry standardization: A call for clarity
Consider this fact. According to an IT security economics study by IP3 Inc., more than 85% of large organizations view interoperability between security components as one of their top two issues. Implementation and integration of new security applications with existing security applications and products can overwhelm the security administrators.
AVDL is an important piece of the solution to solving web security challenges by filling a gap in the "find, block, fix, report" cycle of protection for Web applications. AVDL provides a mechanism for importing the results of an application penetration test directly into a Web transaction control gateway.
The integration of the results of this vulnerability scan via AVDL with a blocking agent will provide end users with a higher degree of protection and ease of use, including:
- A window of safety during which the end user can plan, develop and test deployment of remediation solutions such as patches, updates, etc.
- Alternatively, a solution for maintaining a high degree of Web security without having to deploy fixes within the application itself
- A rapid and automated response mechanism in the face of known vulnerabilities
- Additional automation in the configuration of the blocking agent
- Tighter compliance with federal and state regulations concerning privacy, security and data integrity via templates available in scanning tools, the blocking agent or both
- An additional degree of granularity in the configuration of the blocking agent.
Since Web application vulnerabilities will always exist, the best we can do is reduce their impact. AVDL will play a significant role in attack prevention because it will ensure that an enterprise administrator has the most up-to-date protection on an ongoing basis. For the enterprise, this will translate to more control over Web vulnerabilities and the risks imposed by them.
About the author:
For more than 15 years, Mr. Adelman has successfully launched IT products and services for software manufacturing, distribution and consulting businesses in the U.S. and Europe. For more information on Sentryware, visit the company's Web site at www.sentryware.com.
This was first published in June 2004