Comment Article IT Analysis – From zero day exploit to zero day fix By Fran Howarth, Principal analyst, Quocirca Ltd
To compete in today's electronic world, organisations rely on software applications, some off-the-shelf, others customised for them, and still more that they develop or modify themselves. Most large enterprises have thousands of software applications in use, many of which are web-enabled. Because web-enabled applications are external facing they need to be highly available and to perform well. If an application is not available, an organisation may lose customers because they cannot access it, hurting their revenues. Applications also tend to be ever more feature and function rich, allowing a dynamic, more collaborative experience for customers and their business partners to whom they grant access. To provide an engaging environment for users, many organisations require applications that change frequently, some of them every day. This is music to the ears for hackers, as each change could introduce a new vulnerability and, as other lines of attack become harder through use of defences such as firewalls, anti-virus , and antispyware, those hackers are increasingly looking for the new vulnerabilities to exploit. Worse still, many of these new exploits allow hackers direct access to the heart of the organisation-namely, databases that hold the most sensitive of the company information. In fact, there has recently been a sharp rise in web-based attacks on databases using a technique called SQL injection. The pressure to get new applications out the door is shrinking development cycles, leaving little time for ensuring that those applications are as secure as they could be before they are unleashed on users. And this is made worse by the fact that much code is inherited from other applications and reused, often without being checked for the impact that that could have on the overall security of the resulting application. The best practice for ensuing that a software application is as secure from vulnerabilities as possible is to build security in at the beginning of the development cycle, at the design and
© 2008 Quocirca Ltd
requirements planning stage. But this is something that is hard to do, especially as many developers lack security expertise, and is therefore not done by the majority of organisations developing software applications. To ensure applications are as secure as possible, organisations should test all applications preproduction for vulnerabilities, as well as continuing to test when those applications have gone live. User access permissions should also be reviewed, especially to make sure that administrator rights are not all-encompassing, and organisations should take steps to ensure that all systems in use are up to date, patched, and that those patches have been tested for security. But every software application is bound to have flaws. A rule of thumb is that 0.5 significant errors per thousand lines of code is expected, so a 10,000-line application, which is fairly small in reality, will have five significant errors in it, somewhere. This leaves organisations playing a game of catch up as the number of security threats continues to proliferate and increasing exposure to more users and more computational devices creates many more vectors for attack. As a result, traditional security approaches can buckle under the strain. The typical time for remediating against today's "popular" SQL or cross-site scripting vulnerabilities is 120 days, according to vendor Breach Security, during which an organisation will normally have to make the affected application unavailable. Two companies have briefed Quocirca about innovative solutions they have developed that remove the need for application downtime-the ability to virtually patch the application so that it can remain functioning while the problem is fixed. Breach Security is a vendor of web application firewalls that not only protect web applications from attack by scanning for vulnerabilities and remediating against insecurely coded applications, but that also provides the ability to protect against attacks
http://www.quocirca.com
+44 118 948 3360
Comment Article and unintentional leakages caused by flaws in code through the ability to apply a virtual patch as soon as a new exploit is launched. This bridges the gap between the finding of a vulnerability and the time taken for remediationwithout the need to take down the application. Secerno offers similar capabilities, although its focus is on database security. It calls its ability to patch vulnerabilities on the fly and in real time ‘statement substitution'-providing the ability to substitute a potentially harmful database query with another that causes the database to signal an error to the database client that sent the original query. This is extremely useful for preventing vulnerabilities being exploited by blocking bad requests from reaching the database. The virtual patch that is applied then allows the coding error to be fixed, whilst removing the need for application downtime. Attacks against web-based vulnerabilities are not just on the rise, they are also becoming more targeted against specific organisations or individuals. Most efforts to prevent these attacks focus on code reviews and vulnerability scanners, which provide lists of things that could happen and that might be harmful, resulting in data loss. However, the capabilities introduced by Breach Security and Secerno provide a solution for immediately remediating vulnerabilities that are found-providing an immediate fix for new exploits as they occur, whilst keeping mission-critical applications running.
© 2008 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360
Comment Article
About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com
© 2008 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360