QUOCIRCA INSIGHT REPORT
March 2008
Why application security is crucial …and what companies are doing about it Contacts: Fran Howarth Quocirca Ltd Tel +31 35 691 1133
[email protected]
Clive Longbottom Quocirca Ltd Tel +44 118 948 3360
[email protected]
Today, many organisations are increasingly reliant on software application development to deliver them competitive edge. Simultaneously, they are progressively opening up their computer networks to business partners, customers and suppliers and making use of next-generation programming languages and computing techniques to provide a richer experience for these users. However, hackers are refocusing their attention on the vulnerabilities and flaws contained in those applications. As this report shows, organisations that use the tools available for improving the security of the applications that they develop spend less on IT security overall and, as a result, are less vulnerable. • Outsourcing of code development is widespread. However, given the lack of visibility into coding practices, it is fundamentally insecure. Of those organisations that admit to being frequently hacked, all outsource at least some software development, with almost 90% outsourcing more than 40%. Germans are the least likely to outsource, but 61% of US organisations outsource more than 40% of code development. Financial services firms are the highest outsourcers, but could be putting themselves at serious risk. • Exposure to Web 2.0 technologies—among the least understood, but considered to be among the most insecure technologies—is high, but many manage their use through policies alone. 58% of respondents are using Web 2.0 applications, including those that they develop in-house. 39% of these govern usage of these applications through policies alone and more than 10% place no restrictions on their use. 45% of respondents make use of JavaScript/AJAX Web 2.0 programming tools, and up to 33% of respondents admit to being concerned about the vulnerabilities specific to Web 2.0 technologies. • Organisations are exposing their applications to new security threats through use of a SOA. 66% of respondents have adopted, or are in the process of adopting, a service-oriented architecture (SOA), although adoption is lowest in the UK at 50%. Adoption rises to 84% of German organisations, 71% of which are exposing existing applications as well—potentially leaving them more vulnerable to attack as some of these applications would originally have been intended for internal use only and therefore developed without concern for today’s security threats.
Research Note: The information presented in this report is based on a survey of 250 IT directors, senior IT managers and C-level executives in Germany, the UK and the US. It was completed in December 2007 and January 2008. Those surveyed included organisations from 1,000 employees up to large multinationals within a wide range of industrial sectors. Quocirca would like to thank all the respondents to the survey for their kind help.
• Data protection is the key driver behind application security for the vast majority. 82% of respondents cite compliance with data protection regulations as their priority, rising to 91% in the UK. Financial services organisations are the most concerned with protecting data through superior application security. • Using automated tools for building security into the software development lifecycle translates to lower overall spend on IT security. Over 10% of UK respondents spend more than 15% of their IT budget on security—but are the least likely to use automated tools for application security. Conversely, 96% of German organisations spend less than 10% of their IT budgets on security and make the most use of automated tools for building security into applications during the early stages of the software development lifecycle. Yet most respondents could do more to improve security—for example, only 25% of respondents use risk rating systems for testing code against known vulnerabilities. CONCLUSION: The fact that software applications contain flaws that can be exploited by hackers is nothing new. That organisations are increasingly reliant on bespoke applications to maintain a competitive edge, and are outsourcing a significant proportion of the coding for these applications to third parties, is an alarming trend. The need to make business processes more efficient is leading them to expose more of their applications through the use of new programming techniques and technologies, some of which are known to introduce new vulnerabilities into applications, but which are not yet clearly understood. It is now more imperative than ever that organisations developing software applications use automated tools to ensure that security is built in at an early stage of the development lifecycle to significantly reduce the risks to which organisations are being exposed.
An independent study by Quocirca Ltd. www.quocirca.com
Why Application Security is Crucial
Page 2
Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Increasing reliance on business software . . . . . . . . . . . . . . . . . . 3 Regulatory compliance focuses on data protection . . . . . . . . . . 4 New types of applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Spending on security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Processes and tools used for application development . . . . . . . . 8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Appendix A—Sample interview distribution . . . . . . . . . . . . . . 12 About Fortify Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 About Quocirca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
© 2008 Quocirca Ltd
www.quocirca.com
March 2008
Why Application Security is Crucial
Page 3
Introduction Organisations today are increasingly reliant on business software for communicating and transacting with partners, customers and employees, nearly half of which is web-enabled to ease remote access. However, by opening up their networks in this fashion, these same organisations are being targeted by increasingly technologically-savvy criminals who are looking to sabotage networks or to gain access to sensitive data produced in those networks for financial gain.
Figure 1: How important is software development to your organisation? 8% 40%
24%
28% Business critical - business hinges on in-house code
Not only is reliance on software increasing, but also organisations are outsourcing some parts of their development activities to third parties. This presents them with challenges in assessing the security of third-party code. In addition, they are making greater use of next-generation programming technologies and techniques, many of which are likely to actually increase the chance of flaws being coded into software. Organisations are also under pressure to comply with growing numbers of industry and government regulations, such as data protection, that have been put in place recently to counter these security issues. All too often, the preventative security measures that organisations implement focus on keeping the bad guys out at the perimeter of the network— rather than focusing on ensuring that their computer networks are inherently secure. Too little emphasis is placed on ensuring that the software applications that run on those networks do not contain coding flaws that make them easy targets for attackers. The aim of this report is to highlight the issues surrounding software application security and to look at the measures that organisations carrying out software application development take to ensure that those applications are secure. As background to this, interviews were conducted with persons responsible for, or who have active involvement in, developing software applications at 250 companies across Germany, the UK and the US (see Appendix A). This report is intended to be read by those with responsibility for application development at organisations that rely on such developed code for running their businesses. It discusses recent trends in software application development and provides information about controls that organisations have in place regarding the software applications that they develop, and the benefits for those that get it right.
Increasing reliance on business software It is now a fact that businesses rely on computer networks to run day-to-day communications with customers, partners and suppliers. This means that a great deal of information is produced and stored electronically, and many communications and transactions with business partners and customers are conducted electronically. This increasing reliance on computer networks means that the software applications that run on those networks become a mission-critical source of competitive advantage for many companies (Figure 1). A key requirement for this to happen is that communications with external users are opened up in order to increase the speed with which business can be conducted, to drive down the costs of those communications and to increase profits. However, it also exposes organisations to greater security risks—especially where applications were not originally developed to be exposed over open networks and for which levels of security may not be strong.
Important - use external applications and use internal code for interoperability Moderate - the additional code gives us differentiation We should be looking to minimise our internal code development
Figure 2: Is the importance of software development increasing? Business critical - business hinges on in-house code Important - use external applications and use internal code for interoperability Moderate - the additional code gives us differentiation We should be looking to minimise our internal code development 0% Increased
Decreased
their reliance on developing their own applications or modifying applications developed by third parties is growing (Figure 2). However, the prevalence of patches and security updates for software applications indicates that many of the applications on which businesses rely are insecure. According to NIST (National Institute of Standards and Technology), 92% of vulnerabilities affecting computer networks are contained in software applications. As organisations increasingly look to outsource application development, more components of software applications are being developed outside of their direct control, although most will try to control the security applied to outsourced applications through service-level agreements. This presents further challenges for organisations in controlling the security of applications developed by third parties, and of ensuring that such software cannot be used to infiltrate their networks; for example through use of a backdoor in the software. This is something that TS Ameritrade found out to its cost when it was forced to disclose in summer 2007 that Figure 3: Importance of software development versus percentage outsourced Business critical - business hinges on in-house code Important - use external applications and use internal code for interoperability Moderate - the additional code gives us differentiation
It is also a fact that, where organisations see the competitive advantage to be gained from innovative software applications,
© 2008 Quocirca Ltd
20% 40% 60% 80% 100%
Remained the same
www.quocirca.com
We should be looking to minimise our internal code development
0% 0%
<40%
20% 40% 60% 80% 100%
40% - 80%
>80%
March 2008
Why Application Security is Crucial
Page 4
personal details regarding 6.3 million customers had been leaked through a vulnerability caused by a backdoor created by a programmer. At the same time, it terminated a contract with a third-party development organisation. As Figure 3 shows, those organisations for which software development is business critical or important are the least likely to outsource this activity. This is something that is not lost on the organisations surveyed for this report. As Figure 4 shows, those organisations for which software development is becoming increasingly important are far less likely to outsource this activity than those for which software development is decreasing in importance.
Figure 6: Subject of hacking versus percentage outsourced development Frequently
Sometimes
Rarely
Never 0%
Figure 4: Growth in dependence on inhouse development versus percentage outsourced
<20%
20%
40%
20% - 39%
60%
40% - 59%
80%
60% - 80%
100% >80%
strategy and can lead to greater security vulnerabilities being introduced unless the proper processes are mandated for thirdparty developers.
Decreased dependence
Remained the same
Figure 7: Software development outsourcing by industry
Increased dependence
Financial services Public sector 0%
0%
20%
<40%
40%
60%
40% - 80%
80%
100%
Travel and transport Retail supply chain
80%+
Other large enterprise
When the prevalence of outsourcing software development is correlated against the percentage of overall IT budgets spent on security (Figure 5), it can be seen that outsourcing is actually the less costly option. However, this does not necessarily make outsourcing the best software development strategy, since, whilst those that outsource the least are spending a high proportion of their IT budgets on security, they are in a better position to have direct control over the security of those applications and to ensure that it is built in at the early stages of the development lifecycle. This means that they therefore accrue less cost in the long term as the application does a better job of providing business value. Figure 5: Security spend versus percentage development outsourced
% IT security spend
>20% 15% - 20% 10% - 14%
High tech & telco Professional services Industrial Utility 0% 0%
20% <40%
40% 40% - 80%
60%
80%
100%
>80%
Regulatory compliance focuses on data protection As reliance on business software grows and more organisations open up their networks for remote access, they are increasingly becoming victims of security breaches. Hackers are becoming more sophisticated, no longer looking to launch widespread attacks for notoriety—instead they are launching stealth attacks against specific targets for financial gain. Relatively simple attacks such as viruses sent as email attachments seem to be on the wane but, in their place, new methods of attack are becoming widespread, such as spyware, phishing and pharming, where hackers are looking to harvest information contained on computers that they can use for nefarious purposes.
5% - 9% <5% 0%
20% 0%
<40%
40%
60%
40% - 80%
80%
100%
>80%
This is something borne out by Figure 6, which shows those that admit to being subjected to frequent hacking attacks are most likely to be outsourcing a large proportion of their software development needs. However, among respondents from the UK, in particular, those outsourcing more than 80% of application development reported lower levels of attack than their counterparts in the US or Germany. Often at the vanguard of new technology deployments, the financial services industry is the one making the greatest use of outsourcing for application development, with 80% of organisations in this sector outsourcing at least some part of this. However, as has been seen, outsourcing can be a less secure
© 2008 Quocirca Ltd
In recent years, organisations have looked to protect themselves from attacks by putting in place point security defences against such attacks and writing policies to enforce specific standards of user behaviour so that their employees don’t fall victim to social engineering attacks in which they are tricked into giving away sensitive information. As a result, new types of attack are becoming more common that target areas where defences are the weakest—the software applications that run on computer networks. New types of hackers are emerging that look for insecurely written code and hunt for vulnerabilities in software applications that will allow them to steal information generated by those applications. Data leakage prevention is the new mantra for organisations today as the information that criminals can get their hands on can have huge commercial value. This allows them to assume false identities and perform financial transactions posing as someone else, or to sell intellectual property that they have stolen to the highest bidder.
www.quocirca.com
March 2008
Why Application Security is Crucial
Page 5
At the same time, businesses are becoming increasingly regulated and most of those regulations contain clauses that require organisations to enforce higher standards of security. Some of these regulations demand that organisations notify the public in all cases where a security incident has led to personal data regarding individuals being lost. Not only do the negative headlines damage corporate reputations, but they can also cause financial harm in terms of lost business and the cost of cleaning up the mess. As Figure 8 indicates, data protection regulations are seen by businesses across the board as the most onerous for their companies. Figure 8: Importance of regulations Data protection PCI
is surprising given that the German interpretation of the EU data protection act is seen as among the most prescriptive of those put in place by individual member states.
New types of applications A further headache for organisations is that the internet has come a long way from being largely a collection of websites containing static content, such as marketing brochures. Today’s business users demand advanced tools that allow a much higher degree of interaction, and dynamically produced, on-the-fly content is becoming the norm. To cater to these expectations, so-called Web 2.0 applications are being developed that provide such interaction and organisations are beginning to turn to the use of these applications in their businesses (Figure 11).
Sarbanes-Oxley
Figure 11: Use of Web 2.0 technologies
Other Basel II FISMA
Germany
MiFID FFIED 0
10
20
30
40
50
60
70
80
US
90
% respondents citing as important
Again, the financial services industry leads in the awareness of data protection regulation (Figure 9). However, these regulations affect all businesses that have information collections related to employees, customers or business partners. Utility, travel and transport, and industrial organisations score the lowest—even though such industries collect sensitive information and benefit from intellectual property that is a differentiator for the organisations involved. Figure 9: Importance of data protection regulations by industry Financial services
UK
0%
20% Heavy
40%
60%
Moderate
Sparing
80%
100%
None
The increasing importance of Web 2.0 applications can be seen in that they are coming into greater use—and especially among those businesses for which software application development is mission critical (Figure 12). Figure 12: Use of web technologies versus importance of software development
Other large enterprise Professional services
Business critical - business hinges on in-house code
High tech & telco Retail supply chain
Important - use external applications and use internal code for interoperability
Public sector Utility Travel and transport
Moderate - the additional code gives us differentiation
Industrial 0%
20% Yes
40%
60%
80%
We should be looking to minimise our internal code development
100%
No
0%
Figure 10: Importance of data protection regulations by country
Heavy
UK
Moderate
20% 40% 60% 80% 100% Sparing
Don't use
Figure 13: Programming languages used for application development % respondents saying yes
US
Germany
0%
20%
40% Yes
60%
80%
100%
No
80 70 60 50 40 30 20 10 0
Germany US UK
As Figure 10 shows, complying with data protection regulations is seen as very important for the majority of organisations. However, such regulations are only viewed as important by three-quarters of German organisations interviewed—this
© 2008 Quocirca Ltd
www.quocirca.com
March 2008
Why Application Security is Crucial
Page 6
Another feature of AJAX is that it incorporates a large number of smaller modules and a higher level of interaction between modules than traditional programming languages. This presents a challenge for programmers and raises the possibility of human errors being made in coding. The large number of small modules also makes AJAX more vulnerable to attack as it increases the overall attack surface, with each request for information and response representing a potential attack vector. Of those respondents developing Web 2.0 applications, a significant number are reporting that they are encountering vulnerabilities that are specific to new programming languages and this can actually increase the overall number of vulnerabilities to which the organisation is exposed (Figure 14). For example, a vulnerability that allows a hacker to inject SQL code into an application can lead to the hacker obtaining sensitive information contained in the application, such as customer data, with which they can then launch a phishing attack. Similarly, because AJAX uses JavaScript as a data transport mechanism, a hacker can launch an attack that hijacks JavaScript code, allowing a third party to access confidential information that it is transporting. Such attacks are not possible
US
Wiki or forum software
Web-publishing tools
Mashups
Syndication in RSS or Atom
REST/XML/JSON APIs
Folksonomies
Cascading style sheets
Germany
UK
Details of legend for figure 15: (1) Rich internet applications, often AJAX-based. (2) Semantically valid XTHML and HTML markup. (3) Microformats extending pages with additional semantics. (4) Folksonomies (such as tags and tagclouds). (5) Cascading style sheets to aid in separation of presentation and content. (6) REST and/or XML and/or JSON-based APIs. (7) Syndication, aggregation and notification of data in RSS or Atom feeds. (8) Mashups, merging content from different sources, client and server side. (9) Web-publishing tools. (10) Wiki or forum software etc. to support user-generated content. The need to place control over the use of applications developed using new programming tools—as well as to solve the productivity drain seen in some organisations through use of newer, more socially oriented, applications such as social networking sites and blogs—is leading many companies to try to block or limit their use (Figure 16). Figure 16: Policies and technologies for limiting or blocking use of socially oriented applications
Figure 14: Vulnerabilities affecting Web 2.0 applications SQL injection
Software downloads Webmail Chat rooms Social networking sites Blogs Instant messaging Portable storage devices VoIP PDAs, smart and camera phones
JavaScript hijacking Insufficient authentication Session hijacking Command injection Content spoofing Cross-site scripting LDAP injection Cross-site request forgery 0
5
10
15
20
25
30
35
0%
40 Both
% respondents saying yes
© 2008 Quocirca Ltd
40 35 30 25 20 15 10 5 0 Microformats
Attackers can make an adjustment to the programming code—for example, to get around access controls in order to allow them to masquerade as other users. Alternatively, they can insert malicious code into the application or disable request throttling and other safeguards to launch denial of service attacks.
Figure 15: Which Web 2.0 technologies are being used
Rich internet apps
One of the key security problems with using JavaScript is that it can be manipulated by attackers in order to gain access to the information being transported. JavaScript code can be embedded in HTML pages and interpreted by the web browser. This allows websites to appear more dynamic and interactive, but it also means that more of the business logic is exposed to the users—and therefore the hackers as well—such as access controls and session management logic.
The use to which organisations are putting such Web 2.0 technologies (Figure 15) allows users much greater control over content that they generate themselves, including the ability to publish content online. This is something that organisations should be wary about, since security issues can surface by employees giving away personal, or even company-related, information through use of such tools.
Semantically valid markup
Many of these make use of AJAX (Asynchronous JavaScript and XML). Problems involved with using AJAX include the amount of processing logic that occurs on the browser client side, instead of at the server level, and the fact that most make use of JavaScript as a mechanism for communicating data.
using traditional web programming languages that do not use JavaScript as a transport mechanism and few security teams will be aware of the extent of the problem using Web 2.0 technologies.
% respondents saying yes
In order to write Web 2.0 applications, a number of new programming languages have been developed that allow richer applications to be written with dynamic, user-friendly interfaces (Figure 13). However, these new languages have not generally been written with security in mind. The problems involved are not yet widely understood, but the use of Web 2.0 applications is increasing in companies—potentially leaving those organisations open to a new class of vulnerabilities.
www.quocirca.com
20% 40% 60% 80% 100%
Technology
Policy
No
March 2008
Why Application Security is Crucial
Page 7
Another emerging technology and business strategy increasingly being deployed by organisations is a service-oriented architecture (SOA) (Figure 17).
Figure 19: Technologies used for SOA development 60 % respondents saying yes
However, a large proportion of survey respondents are relying on policies alone for blocking or restricting access—and policies are notoriously hard to enforce. A better strategy is to deploy both technology and policies and to ensure that employees are aware of their obligations, as laid out in the policies set.
50 40 30 20 10 0
Figure 17: SOA adoption Germany Germany
US
UK
Spending on security
US
UK
0%
20%
40%
60%
80%
100%
Yes - fully Yes - including existing applications Yes - but only for new applications No
Given that attacks against computer networks are on the increase and that organisations are under pressure to comply with regulations that impose higher levels of security than previously, is enough being spent on security (Figure 20)? Figure 20: IT security spend by country UK
A SOA works by calling up just those parts of a software application that it needs to service a computing request, combining that component with other functional components and components from other software applications. This potentially increases security problems, as each software component must be authenticated when it is accessed. If this does not happen, it is all too easy to inject a piece of rogue code into the request, thus contaminating a whole business process. Many organisations are SOA-enabling their legacy applications as well— potentially exposing applications that were never designed to be accessed in this manner and for which no security model has been defined. Professional services organisations are slightly ahead of those in financial services in SOA adoption, although more than half of organisations in all industries are adopting SOA—with the exception of the public sector (Figure 18). Figure 18: SOA adoption by industry
Germany
US
0%
20%
<5%
5% - 9%
40%
60%
10% - 14%
80%
15% - 19%
100% >20%
The respondents to this survey all actively develop at least some of the software applications on which their businesses rely. This process should involve ensuring that security is defined, implemented and tested early on in the software development lifecycle, which should ensure that the costs of fixing problems later on in the development process—a far more expensive process—should be decreased. In general, spending on security is highest among high tech & telco companies—the majority of which state that in-house software development is critical or very important to them. Financial services and utility companies state that in-house development is even more important to them than high tech & telco companies—but they are spending considerably less on security (Figure 21).
Professional services Financial services Travel and transport Utility High tech & telco Industrial Retail supply chain Other large enterprise Public sector
Figure 21: IT security spend by industry 0%
20%
40%
60%
80%
100% Industrial
Yes - fully Yes - including existing applications Yes - but only for new applications No
Utility Travel and transport Professional services
Technologies from larger, long established vendors tend to be the most commonly used in developing a SOA, with those from Microsoft the most popular overall (Figure 19).
Financial services Retail supply chain Public sector Other large enterprise High tech & telco 0% <5%
© 2008 Quocirca Ltd
www.quocirca.com
5% - 9%
20%
40%
10% - 14%
60% 15% - 19%
80%
100%
>20%
March 2008
Why Application Security is Crucial
Page 8
Respondents were also asked how they rated their security posture: do they take a proactive stance, trying to ensure that they are secure as possible; do they take a reactive stance, responding to incidents as they occur; or do they see security as an insurance policy, taking a risk mitigation approach (Figure 22). Figure 22: Security posture by country
One of the reasons why spending on security is still fairly low is that the IT security profession is not as regulated as much as others, such as accountancy. That is changing as standards such as ISO27001 come into more widespread acceptance, but levels of accreditation in organisations are not high at present. One of the key drivers is that organisations are starting to be fined for not complying with the security requirements of the numerous regulations with which they must comply (Figure 25). Figure 25: Levels of security accreditation
Germany
UK UK
US US Germany 0%
20% Proactive
40%
60%
Reactive
80%
100%
Insurance policy
By correlating the posture that a company takes on security, it is clear that taking a proactive stance to security is perceived as the more costly approach (Figure 23). Figure 23: Security posture versus amount spent on IT security
0%
20%
<5%
5% - 9%
40%
60%
10% - 14%
80%
15% - 19%
100% 20%+
What can be seen today is that levels of security accreditation among IT professionals are higher in those industries that have the most reliance on software development (Figure 26). Figure 26: Security accreditation by industry
Insurance policy
Financial services Professional services Utility
Reactive
High tech & telco Travel and transport Other large enterprise
Proactive
Public sector 0% <5%
5% - 9%
20%
40%
10% - 14%
60% 15% - 19%
80%
Retail supply chain
100%
Industrial
>20%
0% <5%
However, when IT security spend is correlated with the importance of software application development to a company (Figure 24), it becomes clear that, where application development is deemed business critical or extremely important, it is not necessarily the case that more is spent on security. This is potentially because, as application development is so important for them, they apply security early in the software development lifecycle, allowing them to spend less on security overall. Figure 24: Importance of software development versus amount spent on security Business critical - business hinges on in-house code Important - use external applications and use internal code for interoperability Moderate - the additional code gives us differentiation We should be looking to minimise our internal code development
0% <5%
5% - 9%
© 2008 Quocirca Ltd
5% - 9%
20%
40%
10% - 14%
60% 15% - 19%
80%
100%
20%+
Processes and tools used for application development In the early days of computing, security was less of an issue. When we just used mainframes, and even when network computing became common using the client-server model, security for many applications was largely achieved using just passwords and permissions. With the advent of open networks and the internet, security became a major issue as the tools and vectors for attack increased exponentially. Prior to the internet age, software was written for which security was not a prime consideration, as the capacity for an unknown person to access the software at any level was physically minimised. Programmers and developers cared more about making the applications that they developed efficient, and appealing design choices tended to take precedence over security. Now computers attached to the global public internet are in extremely widespread use and can be attacked anonymously by anyone with the correct technology prowess from anywhere in the world.
20% 40% 60% 80% 100%
10% - 14%
15% - 19%
>20%
www.quocirca.com
March 2008
Why Application Security is Crucial
Page 9
Organisations have responded by increasing their security defences at the perimeters of their organisations—rather like how we have traditionally defended our settlements with walls and armies. However, increased use of technologies such as email and the internet mean that business communications can tunnel through perimeter defences, making the walls placed around organisations increasingly porous. Point security products have increasingly been utilised to guard against attacks such as viruses, leaving hackers to turn their attention to other weaknesses that can be more easily exploited—flaws in software applications that can be manipulated to gain access to the data that they contain. Software applications take months to develop and are built to last. It is much cheaper to build security in when the requirements for the application are planned and designed—rather than to retrofit security to applications once they are already developed. When organisations develop new software applications, it should be mandated that security goals and strategy are defined at the requirements planning stage (Figure 27). However, we see less than 40% of organisations mandating this, with more carrying out such an approach “in most cases”. For these latter organisations, mandating should be a simple step that ensures security is built in, minimising ongoing security issues and expensive retrofit exercises. For those rarely, or never, using such an approach, now is the time to overhaul their view of security and make it part of the design and development phases—not part of the run-time. Figure 27: Setting of security goals at the requirements planning stage
For example, if application developers do not limit the types of characters that can be input—for instance alphanumeric inputs for time and date fields—hackers can inject other characters into the code. This allows them to perform numerous attacks such as cross-site scripting, which can be used to hijack user accounts or to launch phishing scams, or buffer overflows. Input validation attacks caused by lack of restrictions on what code can be input into an application are defined by OWASP (the Open Web Application Security Project) as being the most dangerous flaws affecting the security of applications today. Also at the application design stage, the use of a reusable security model, including pre-built components with pre-tested and known security levels, can be extremely helpful in defining some of the security requirements of the application without having to reinvent the wheel for each new application (Figure 29). Although software applications can vary widely in terms of the use for which they are intended, all applications tend to have fairly similar security needs in terms of such things as levels of identification, authentication, authorisation, integrity and privacy required. Figure 29: Use of a reusable security model US
Germany
UK UK US 0% Germany
20%
40%
Yes - fully implemented 0%
20%
40%
60%
80%
100%
Yes - it is a formal requirement Yes - in most cases Yes - in a minority of specific cases No
Once the requirements for the application have been set, application developers move onto the design stage. It is here that it is important to start building in security—defining the security architecture, security use cases, restricting input data types and modelling the threats that the application is likely to be exposed to (Figure 28).
60%
80%
No - but planning
100% No
Applications also tend to face the same sorts of threats, such as theft or unauthorised disclosure of assets, and be vulnerable to the same basic types of hackers. Because of this, reusable templates can be used for specifying most of the security requirements—for example, profiling different types of hackers by their motivation, typical levels of expertise and tools used, or the communications and services with which the application will interact. Reusable security models also tend to include sample secure build configurations and libraries of vulnerabilities that are known to exist, against which the requirements of the application can be modelled. Figure 30: Risk rating systems used
Figure 28: Security processes built in at design stage
% respondents saying yes
60
Security architecture Security use cases Input data types
50 40 30 20 10 0
Threat modelling 0
10
20
30
40
50
60
70
80
90
% respondents saying yes
UK
© 2008 Quocirca Ltd
US
Germany
Germany
www.quocirca.com
US
UK
March 2008
Why Application Security is Crucial
Page 10
Some of the elements found in a reusable security model, such as knowledge bases of common problems that can lead to software vulnerabilities, are contained in risk rating systems. Such systems can be used by application developers wanting to build secure code that is more resistant to exploits. Risk rating systems are among the most important tools used by developers to improve the security of the applications that they develop (Figure 30). Such tools allow organisations to determine the most effective controls for the risks that they uncover and to produce effective countermeasures against those risks. Most risk rating systems work by creating a model of the software application, including its components, data flows and trust boundaries, such as where it interacts with the internet or a database server, and identifying all known threats and vulnerabilities impacting that application. Those threats can then be categorised and ranked according to the perceived threat level. Some of those vulnerabilities can be seen in the names given to risk rating systems—for example, DREAD stands for damage potential, reproducibility, exploitability, affected users and discoverability; STRIDE stands for spoofing identity, tampering with data, repudiation, information disclosure, denial of service, escalation of privilege. However, as Figure 30 demonstrates, most companies are either not using risk rating systems or do not know if they use any or not. Now that security has been built into the applications, organisations need to analyse the applications that they develop in order to ensure not only that they perform as they should, but also that the appropriate level of security has been applied to those applications. It is best practice to review code at all stages in the software development lifecycle although, from the data collected for this survey, it can be seen that only 15% of respondents actually do this (Figure 31). In any case, code should be analysed before the application is implemented and released for users, and it is good practice to keep on reviewing the code as new threats and vulnerabilities come to light.
Figure 32: How software code is analysed Black box Debuggers Source code analysers Automated code scanners Vulnerability scanners None Don't know 0
10
20
30
40
50
60
70
80
% respondents saying yes
UK
US
Germany
simulate how an application performs against hackers by mimicking the typical approaches that hackers take to see how well the security controls hold up. The tools described above are extremely useful for finding and fixing bugs that can be easily categorised but many bugs are specific to a particular software application. To find such bugs, static code analysis (Figure 33), which can be customised to the needs of a particular organisation or type of application, is particularly useful and works more like traditional code reviews in that it can be used to find flaws, although it cannot be used as a quick fix. However, such tools should be used before any application is delivered to end users. Figure 33: Static code analysis Germany
US
Figure 31: Analysing applications for security
UK
Design 0%
Development
20%
40% Yes
60%
80%
100%
No
Deployment Production when provisioned Production at a continuous level against new threats 0
10 20 30 40 50 60 70 80 % respondents saying yes
UK
US
Germany
There are a number of tools available for scanning code in applications to ensure that security goals have been met (Figure 32). Debuggers are the most popular tools used and can be used at various stages of the software development lifecycle to find and fix bugs in a software application. These include using debuggers to test the components of the application, and to test again when those components are brought together, as well as when the application is used in combination with other products with which it needs to interact, and at customer beta testing.
One final key set of tools that software application developers have at their disposal for improving the security of the applications that they write are reporting tools (Figure 34). These collect data related to security threat activity seen in conjunction with a particular application and provide detailed management and audit reports that allow organisations to tune the security of their applications according to the vulnerabilities to which they can see that applications are exposed. Figure 34: Security reporting tools used Change control and management
These are necessary tools as all software applications contain hundreds, thousands or even millions of lines of code, making it likely that at least some mistakes have been made along the way. Accepted levels are that there will be around 0.5 significant errors per thousand lines of code (KLOC), so a 10,000 line application (fairly small) will have five significant errors within it—somewhere. Other tools, such as black box testing,
© 2008 Quocirca Ltd
www.quocirca.com
Security incident reporting
Logs
Other 0 10 20 30 40 50 60 70 80 90 % respondents saying yes
UK
US
Germany
March 2008
Why Application Security is Crucial
Page 11
Conclusions As electronic crime continues to increase, organisations are under pressure to be seen to be more proactive about IT security. This is not only something that makes common sense but also is increasingly a requirement being placed on organisations across a wide range of industries by governments and industry regulators. However, at the same time, not only are organisations becoming increasingly reliant on software applications, including those applications that they develop or modify themselves, but hackers are escalating attacks on those very applications as other lines of attack are closed with existing security products. In order to guard against such threats and vulnerabilities, the onus is on organisations to improve their security by placing greater controls on the security of the applications themselves, or demanding the same from any third party that provides application code to them. This is especially true as next-generation applications employing Web 2.0 programming languages are developed, so increasing the levels of exposure to vulnerabilities, or making legacy applications available over broader networks in SOA deployments. Where possible, since packaged applications and components are widely used and are more likely to have vulnerabilities discovered before the hacker attempts to attack an organisation, companies should look to use off-the-shelf software components, where possible, or to reuse software components that have been written previously and which have been thoroughly tested for security. Although the organisations surveyed for this report are actively looking to ensure that security safeguards are built into the applications that they develop, more could be done to better coordinate the development of software applications with security and regulatory compliance needs. This can only be done by considering security at all stages of the software development lifecycle. When this is done effectively, these organisations will find that yet another vector of attack has been closed and will be able to concentrate on running their businesses—rather than cleaning up after hackers have attacked them.
© 2008 Quocirca Ltd
www.quocirca.com
March 2008
Why Application Security is Crucial
Page 12
Appendix A—Sample interview distribution The information presented in this report was derived from 250 interviews with senior IT personnel engaged in developing software applications completed in December 2007 and January 2008. Distribution of the sample by geography, industry, job title and company size was as follows:
Figure 36: Respondents by industry
Figure 35: Respondents by country
UK 40%
Germany 20%
Travel and transport 11%
Utility 12%
Retail supply chain 13% Public sector 12%
US 40%
Figure 37: Respondents by job title
Financial services 11%
High tech & telco 10%
Industrial 13%
Professional Other large enterprise services 8% 10%
Figure 38: Respondents by company size
IT director 24% Applications or systems manager 7% IT manager 60%
© 2008 Quocirca Ltd
Security officer 7% Other 2%
www.quocirca.com
>5,000 employees 50%
1,000 to 5,000 employees 50%
March 2008
Why Application Security is Crucial
Page 13
About Fortify Software Fortify® Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security suite—Fortify 360—drives down costs and security risks by implementing threat intelligence and automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world-class teams of software security experts and partners. More information is available at www.fortify.com.
Contact information: 2215 Bridgepointe Pkwy, Suite 400, San Mateo, CA 94404, USA T: (650) 358-5600 F: (650) 358-4600 W: www.fortify.com Follow this link to benchmark your organisation: http://www.nkv5.com/fortifysoftware/survey/2008_01_survey.html
© 2008 Quocirca Ltd
www.quocirca.com
March 2008
Why Application Security is Crucial
Page 14
About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With worldwide, native language reach, Quocirca provides in-depth insight into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with firsthand experience of ITC delivery who continuously research and track the industry in the following key areas: • Business process evolution and enablement • Enterprise solutions and integration • Business intelligence and reporting • Communications, collaboration and mobility • Infrastructure and IT systems management • Systems security and end-point management • Utility computing and delivery of IT as a service • IT delivery channels and practices • IT investment activity, behaviour and planning • Public sector technology adoption and issues • Integrated print management Researching perceptions, Quocirca uncovers the real hurdles to technology adoption—the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capacity to uncover and report on end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform business and business process, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long-term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms. Sponsorship of specific studies by such organisations allows much of Quocirca’s research to be placed into the public domain at no cost. Quocirca’s reach is great—through a network of media partners, Quocirca publishes its research to an audience possibly measured in millions. Quocirca’s independent culture and the real-world experience of Quocirca’s analysts ensure that our research and analysis is always objective, accurate, actionable and challenging. Quocirca reports are freely available to everyone and may be requested via www.quocirca.com. Contact: Quocirca Ltd Mountbatten House Fairacres Windsor Berkshire SL4 4LE United Kingdom Tel +44 1753 754 838
© 2008 Quocirca Ltd
www.quocirca.com
March 2008