The Final Frontier - Keeping Unwanted Intruders Out of Your Applications

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 01, 2005
Application | Security
Rick Warner - rick.warner@thoughtmill.com

View Magazine Version of This Article

© 2005 Hospitality Upgrade. No reproduction without written permission.

A few high-profile cases notwithstanding, most companies have gotten to the point where they are pretty good at keeping hackers out of their network perimeters, and there are many solutions that are readily available today to assist in this area including firewalls and intrusion detection systems. However, keeping unwanted intruders out of your application code remains the final frontier when it comes to security. An ever-increasing number of application codes are exposed to the outside world over the Internet, and hackers are starting to use this as their preferred point of entry into your network. The potential for this is especially dangerous in the travel industry where self service has become the norm. To date, the most damaging targeted attacks have focused on exploiting vulnerabilities in Web applications and custom-developed software vs. packaged solutions. That means your slick e-commerce site could also serve as an entry point into your customer data.

Do you know whether your applications are secure? Have you done everything that you can to insure that your data is protected? It is better to ask yourself this question and address the situation head-on versus having an outside auditor ask you about this after a breach has occurred.

“In this company, source code security is an accident that’s already happened.” - VP Application Development, Fortune 100 Company

Application-level security is indeed becoming a big issue. According to The Gartner Group, “Today, over 70 percent of attacks against a company’s network come at the application layer, not the network or system layer.” Understanding, managing and eliminating your vulnerabilities not only reduces your risk, it can directly impact your bottom line. Consider the following:
  • Gartner estimates that even removing only 50 percent of software vulnerabilities before product use will reduce enterprise configuration management costs and incident response costs by 75 percent.
  • The National Institute of Standards and Technology (NIST) states that it costs three to 20 times more to fix a vulnerability after it becomes operational than during code and unit tests.
  • NIST estimates security flaws and errors found in software are responsible for the exploits that lead to identity theft, unauthorized funds transfer and fraud, costing the U.S. economy $59.5 billion per year.
Potential exposures vary based on the platform. However, there are some key things to be concerned about:
  • Buffer overflows are very common issues, especially in C/C++ applications
  • All Web-based applications are potentially vulnerable to SQL injection and cross-site scripting issues no matter what language they are developed in.
  • Application stability typically improves security posture. For example, with Java it is a good idea to review issues related to application flow and error-handling.
  • Security model implementation is often improperly designed, inconsistently implemented and/or has back doors left by developers.
  • Dead code is often resident in applications which may not pose a security issue per se, but can often impact the overall maintainability and performance.
What can be done to address these issues? The following five step process is a good place to start:
  1. Review application structure with your development staff.
  2. Determine high risk areas and scope of code to review.
  3. Examine the code using automated tools to do as much of the difficult parts as possible.
  4. Evaluate a subset of code to identify specific instances of problem patterns.
  5. Report findings to senior management along with a list of prioritized remediation recommendations.

In the past this process would have been very time-consuming and labor-intensive. Fortunately, there are tools available today which greatly expedite application security by enabling you to examine the majority of your code in an automated manner. In doing so, you can effectively reduce an exercise that could take months to a few weeks.

You will definitely sleep better at night by including application-level security in your overall security management plan. The benefits to be derived from such an approach are significant and include the following.
  • Reduced risk for identity theft and fraud exploitations
  • Reduced cost of application maintenance and management
  • A better understanding of the inner workings of your custom application code. This is especially important if it was acquired from a third party, or developed off-shore
  • The application of best practices among your development team is facilitated

In addition, if an attempted breach should ever occur, you could demonstrate to outside auditors that you did everything possible to prevent it. This alone makes it well worth pursuing.

Rick Warner is Thoughtmill’s vice president of Travel Services. A 20+ year industry veteran of world-class organizations like Disney and Marriott, he has successfully implemented large-scale projects all over the world. He can be reached at rick.warner@thoughtmill.com.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.