Feeds

‘Penetrate and patch’ e-business security is grim

@stake survey

  • alert
  • submit to reddit

SANS - Survey on application security programs

Application security flaws introduced early in the design life cycle are giving rise to easily exploitable defects that can readily be prevented.

That's the main conclusion of an evaluation of 45 e-business applications by security consultancy @stake.
It says the current state of application security is "grim".

@stake found that nearly half of application security defects - 47 percent - are both readily exploitable and could cause significant loss of reputation or customer revenue, but the defects were entirely preventable. The consultancy found that the best-designed e-business applications have 80 per cent fewer security defects than the worst.

A selection of wireless applications, off-the-shelf packages and Web-transactional apps supplied by @stake's clients were put through their paces during its security evaluation.

The methodology involved a code review; a look at the architecture and design of applications; and attack simulations. As security testing was carried out under non-disclosure agreements it is unclear when issues will be highlighted to the wider community.

@stake's testing reveals some worrying trends in application insecurity.

These include insufficient rigour in checking user input, a problem that can give rise to buffer overflow attacks, and a lack of secure authentication and access control features within applications. User session security proved to be the "Achilles heel" of many of the apps analysed.

Nine classes of common security flaws can make applications insecure, according to @stake's research. These are: administrative interfaces authentication/access control, configuration management, cryptographic algorithms, information gathering, input validation, parameter manipulation, sensitive data handling and session management.

Avi Corfas, vice president for @stake in EMEA, said the problems are more to do with the way applications were designed rather than the platform they run on. Somewhat controversially, he claimed 70 per cent of the problems @stake identified were in their design and only 30 percent were in implementation.

Anecdotal evidence from other security consultants suggests the vast amount of security risks is caused by incorrect implementation, for example the interaction between applications or how applications are installed. That's to say nothing of failure to apply patches, of course, which @stake points out would be far less of an issue if developers addressed security problems early in the design process.

"Many companies treat security as 'penetrate and patch' rather than employing secure software engineering practices that would have produced a safer application from the start," said Andrew Jaquith, program director, @stake.

In order to benchmark application security best practices, @stake compares and contrasts the top and bottom performers in its study as measured by business risk.

The six areas that differentiate the best from the rest are: early design focus on user authentication and authorisation; mistrust of user input; end-to-end session encryption; safe data handling; elimination of administrator backdoors; mis-configurations and default settings and security quality assurance. ®

External links

The Security of Applications: Not All Are Created Equal, study by @stake

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.