How to Protect Your Business from Malware in Custom Apps
When Pakistani IT professional Sohaib Athar inadvertently live-tweeted the American raid on Osama bin Laden's compound, he didn't expect to become an overnight internet celeb. And he certainly didn't expect the follow-up: A hacker installed malware on Athar's blog. His millions of new visitors--and potential new customers--were at risk of becoming malware victims.
Security attacks on businesses--from single-person operations to some of the corporate world's giants--are on the rise. It's a new and increasingly ugly world out there for companies doing business on the web.
Even corporations with enormous resources and teams are vulnerable. Earlier in 2011, hackers breached the credit card and personal data of at least 70 million Sony PlayStation Network users. And RSA, a Bedford, Mass.-based security firm that provides security to more than 90 percent of the Fortune 500, was itself compromised by hackers who exploited a hidden flaw in certain software the company hosted. Sony expects a $3.2 billion net loss for the 2010-2011 fiscal year, in part because of the attack. And RSA now faces persistent concerns that its once invulnerable security products have been rendered less effective.
At the core of these attacks is a new family of business security risks. Not only are web criminals taking advantage of weaknesses in commercially available business computer hardware and software, they're exploiting the growing number of hidden flaws lurking inside the purpose-built, custom business applications that are usually found on public company websites. These application vulnerabilities have geeky, almost harmless sounding names like SQL (pronounced "sequel") injections and cross-site scripting errors. But they're far from harmless. The attacks are real, profound and potentially devastating for businesses and their customers.
"Increasingly, not only is commercial hardware and software getting attacked," says Jeff Williams, a private security consultant and chairman of the Open Web Application Security Project, a Columbia, Md.-based nonprofit application security trade group, "but custom applications written by a specific company are turning out to be just as vulnerable."
What this means for businesses big and small is that it is no longer enough to download and install the latest versions of a computer's operating system, software and security tools to be safe. Now firms face the mammoth task of testing, analyzing code by hand and tracking the overall level of risk to get a read for the vulnerability of custom-made applications almost always found on a firm's website. These custom applications include anything and everything that was custom-coded for a business and open for public web use, from company web pages to blog feeds, merchant accounts, shopping tools, content management systems and public-facing marketing apps.
For many firms, a minimum of tens of thousands of lines of code must be inspected and factored for risk. And if any are found to be vulnerable, leaving critical information at risk, immediate action must be taken to remedy the vulnerabilities; or, if that's not possible, the apps must be taken offline.
"It's important to understand that application security is quite hard," says Justin Clarke, principal of Gotham Digital Science, a New York-based security firm. "But it is not prudent to do nothing. Criminals don't care about you. They are attacking you to get at your customers."
And don't plan on application security being cheap. App security professionals are the high-paid elites of the software-coding world. Hourly security contractors start at several hundred dollars per hour, and application security software can run a cool seven figures to purchase and easily 10 or 15 percent of that in per-year costs to maintain. It's no wonder that large corporations have annual application security budgets in the millions of dollars.
But there are rays of hope for smaller shops looking to make custom applications secure. A new generation of web-based application security options is opening to smaller businesses. None of these tools are Norton AntiVirus cheap: Companies should expect to spend at least $15,000 annually--or much more if they have even an average web presence--for a meaningful increase in application security. That price tag means some firms will simply choose to--or have to--live with the risk. But for businesses with legal, medical or governmental practices, where data loss can lead to civil and criminal penalties, there is no choice but to pay up to make your business's applications secure.
The Route to Application Security:
Pay to make application security someone else's problem. Along with just knowing that you're taking the steps to protect your business and customers, there's another upside to moving ahead with an application security plan: shared responsibility when problems arise. In the case of a security breach, the company you hired to host your web operation will have to own the problem just as much as you will.
When it comes to hiring a third-party host, don't get cute. Hire as large of a well-staffed and well-funded organization as you can possibly afford. Amazon Flexible Payments Service or PayPal are excellent online checkout partners. Both are well-funded and can boast of several decades of almost-constant security updates and experience. Google and Microsoft offer excellent hosted web services and have several types of security products for small businesses. ADP, Intuit or Paychex offer secure payroll and business systems and have solid track records of providing app security for large companies.
And don't forget your blogging and social media services--the places where you interact with customers are particularly risky. Many experts agree that Google's Blogger and WordPress' hosted web apps offer good, secure resources for small businesses.
"I am a big believer in outsourcing whatever you can," says Bill Pennington, chief strategy officer for WhiteHat Security, a Santa Clara, Calif.-based web security company that provides security risk analysis to medium and large businesses. "Large web services firms have a billion dollars invested in keeping their networks secure. It is impossible for smaller firms to replicate that, no matter what they spend."
Just be sure that whatever outsourcing solution you use, you arrange for an active backup of company data stored where you control it. If there is ever an issue, you want to be able to take your information and run.
Take basic security precautions. Full-on custom application security might be beyond your budget or needs, but even the smallest online shop should establish a basic security plan. At the very least, make sure you have a robust and up-to-date means of backing up your web content--since fixing most attacks is about putting back what you had. Then make sure all your online business passwords are updated and complex. Most good web apps now have password strength checkers. Take them seriously. Then check that all the standard commercial software running in your firm is up-to-date. Several companies make top-quality network software scanning tools that are surprisingly low- or no-cost. Here are three:
1. Clone Systems: Primarily a managed network security company--that is, it charges to watch your network for you--it also offers an entry-level scanning tool that generates a high-quality report detailing what is up-to- and out-of-date on your network.
2. Tenable Network Security: A leader in so-called active scanning--it noses around automatically to find risks on your applications--the company provides one of the more popular scanning apps on the market.
3. Qualys: The application security scanning firm is attempting to offer fully automated tools for complex application security. Automatic scanning tools are controversial in security circles since some coding vulnerabilities can only be found, believe it or not, by the human eye. But Redwood Shores, Calif.-based Qualys offers what most agree is a high-quality tool. Though its tools can run several thousand dollars a year, it has several no-cost scanning options that make a good starting point for small businesses.
"We wanted to make top-quality application security available to any business," says chairman and CEO Philippe Courtot. "And with a bit of knowledge, even the smallest business can run them."
But don't be surprised if it serves up results you simply don't understand--or don't know how to act on. Scanning tools are just a piece of the security puzzle. You will need to pay for a professional's time to help run them. This, of course, puts smaller companies in a terrible bind. Should you devote resources toward security you may or may not need? Your best bet: Interview a range of application security consultants to gauge the threat to your company's security, and decide from there whether you can handle the risk of going without.
Choose an application security consultant. Now for the hard part: Welcome to the complex, pricey--and, frankly, annoying--world of hiring an application security professional. For the most part, application security experts mean well and, yes, try hard. But, like many high price tag consultants, they're often hard to manage and think they work outside (or above) the system. Expect your application security consultant to clash with your software developers since your new expert will, basically, be telling your old expert what to do.
Finding the right consultant is tricky. The smart place to start is with the local chapter of a nonprofit security organization, such as the Open Web Application Security Project. Choose a security professional with a proven track record in your type of software. If you can find one doing primary research in your particular field, even better. Also, like any hire, ask for solid references. You can also ask the automated-tools experts who make applications secure; most have active referral services or relationships with local resellers.
So research your options and budget accordingly. But, just as you would with a medical doc, don't be afraid to get a second or even third opinion on your application security.
With the web quickly becoming a virtual Wild West, you'll need all the application security forces you can muster.
Tools For a Secure Tuneup
"There are a lot of good, solid application security scanning options on the market," says Barmak Meftah, chief products officer for HP's Fortify Software, a San Mateo, Calif.-based application scanning company. "These tools are fast, relatively affordable and can be purchased in a wide variety of options. But they do require a professional developer to properly interpret and implement."
Here's a look at eight security tools worth exploring for your company's protection.
1. w3af: An open-source web app scanner with a community of application security experts. It also offers some good training services.
2. Websecurify: A public testing framework for application security that also supports research.
3. PortSwigger Web Security: One of the most popular tools among application security professionals.
4. Nmap: Created by Gordon Lyon, Nmap is an open source--and effective--application security scanner.
5. WhiteHat Security: A full-scale commercial vulnerability scanning product that charges an annual subscription fee. Prices start at $4,000 per year and rise quickly.
6. Vericode: An integrated software security firm that can handle both web and traditional software security.
7. HP WebInspect: One of several commercially available application security tools from HP. Usually aimed at bigger companies, it offers several lower-cost products that can work for smaller firms.
8. IBM AppScan: IBM's answer to HP's application security products.