Information Age: News, analysis & insight for IT & business leaders

It is a damning indictment of web site security. Since the start of 2000, application-level software vendor Sanctum has used its own scanning software to assess the vulnerability of over 300 web sites. And in 97% of these audits, Sanctum was able to ethically hack the web site, says Peggy Weigle, CEO of Sanctum.

In one particular audit during 2001, Sanctum was able to get to the actual source code of a major airline's online reservation system. This meant, "we could have put a complete dummy site [replicating the reservation system] that would have enabled us to collect all of the customer information such as flight itineraries and credit card details," says Weigle.

This revelation about the vulnerability of online applications will surprise few security experts. "Around 75% of web attacks are now occurring at the application layer," says John Pescatore, a vice president at analyst group Gartner.

A key reason for this vulnerability is that while organisations have invested heavily in protecting the perimeter of their networks, little has been done to protect online applications.

The reality is that even after deploying security products that typically include firewalls, intrusion detection systems, access control software and public key infrastructure software – if a hacker can get access to an organisation's web server they can get control of the application, says Laura Koetzle, an analyst at Forrester Research.

Tal Gilat, CEO of KaVaDo, a New York-based application-level security vendor concurs. "You could put six firewalls in place, for example, one after another, but the firewall will take a message as a legitimate request [leaving the application exposed to hackers]," he adds.

This is because an application-layer attack "abuses" the business rules that tie front-end web servers to back-end database and transaction services, says Richard Barber, European business development manager at information security consultancy Integralis. He adds, "For some time now, hackers have been using these business rules to pull credit card and users' details, and also buy products more cheaply," he adds.

So what can organisations do to protect their applications from this type of attack? One option is to license the application-layer protection software that has appeared in recent years from a slew of largely US vendors. Leading the charge to provide application-level protection from known – as well as unknown – threats are Sanctum, KaVaDo and Stratum8 Networks.

KaVaDo's core product, InterDo, is one prime example. It sits in front of a web server and monitors traffic for anomalous behaviour. InterDo comprises of eight modules to protect against known security threats: including 'cookie poisoning' when the content of web site cookies is corrupted; 'database sabotage', which involves hackers sending SQL commands to gain access to data on a database; and 'Trojan horses', where malicious code is hidden inside an apparently harmless program.

KaVaDo's approach is to create secure tunnels or pipes, based on the parameters of legitimate activity that an application is specified to perform. These pipes created a trusted zone from a secure network card connection point, through the web and application servers to the application itself, says Ed Barlow, KaVaDo's technical director for Europe. "What we provide is direct connection from an untrusted IP address to what will become a trusted IP address," he adds.

In addition to that approach, both KaVado and Sanctum also provide scanning software to identify web site and application-level vulnerabilities.

However, aside from these targetted products, there is a lot organisations can do to protect their applications. A key problem is that security is not a primary consideration when applications are being designed. "There has been an inherent problem – although it is one that is slowly being overcome – where web-based applications were often not developed by people trained in computer science, but by people who were trained in computer graphics and design," says Frank Prince, a senior analyst at Forrester Research.

More specifically, web developers typically concentrate on what an application is supposed to do – and not the way it could be abused by a hacker. "The main problem appears to be a shortage of software developers that are experienced in producing secure code with an understanding of how hackers work to subvert code," says Barber.

A typical weakness is how an application is configured to access a database using the SQL database language. For example, after a hacker has clicked on a simple web site link, the uniform resource locator at the top of an organisation's web site often tells them much of what they need to know about launching a malicious database query. "This leads to some databases dumping their contents back to the screen when they get a SQL command they do not understand," says Brian Cohen, CEO of Security Protection Intelligence (SPI) Dynamics, a supplier of vulnerability scanning software, which will also release an application firewall product at the end of 2002.

He adds: "Most application developers do not understand the full ramifications of not parsing SQL input correctly, and often forget to write applications that reject all improperly formatted statements."

To address such shortcomings in faulty code writing, more organisations are asking outside agencies to conduct code reviews. "Developers write a piece of code and then get someone who is a programmer with a particular focus on security to review the code and see if there are any inherent weaknesses that could be abused," says Barber at Integralis.

Outside of development environments, organisations can also help themselves by improving the security of the platforms that hackers often target to access applications. There are several techniques that can be deployed to "harden" the operating system used by a web server, for example, says Integralis' Richard Barber. Basically, you remove from your web server every application that you do not need, he advises. This is "because every application that is there potentially allows a hole that could be subverted", he says.

In addition, organisations have to keep their platforms up-to-date with the latest security patches – as the Code Red computer worm (see box, Shield from Code Red) amply demonstrated when it first appeared in July 2001. Such warnings will not be new to those in enterprise computing.

The only problem is that many organisations are still not listening. Analyst Laura Koetzle at Forrester says, apart from securing the perimeter of an organisation, "the vast majority of organisations do not do the most minimal thing they need to for security. With most organisations, once you get inside the perimeter, there is no security at all and hackers can just wander round the network and do exactly what they want."

This is a dangerous game because the application-level threat is here to stay. "The application is potentially the biggest threat because the whole purpose of it is to provide some level of access for an organisation's clients, partners and interested parties to get to the crown jewels at the back of the organisation," concludes Glyn Geoghegan, principal security consultant at security services specialist Internet Security Systems.