Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
12 November 2007  
Untitled Document
Sections

Market
Management
Technology
Technology Life
Columns

Between The Bytes

Events

Technology Senate
Technology Sabha
Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp.Channel Business
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Express Healthcare
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 
Home - Technology - Article

Vendor Accent

Protecting Web-based applications from hackers

Rakesh Singh explains how Web-based applications can be secured from hackers

In today’s electronic era, where speed and reliability is a business norm, enterprises have resorted to providing convenient and easy-to-use Web applications for customers to execute their day-to-day online transactions. Web-based applications are programs that run on Web servers, use Web pages as the user interface, and can be accessed from any computer connected to the Internet. Indeed, Web-based applications provide significant benefits. However, they come with risks of possible security breaches.

According to a recent CSI/FBI Computer Crime and Security Survey, 95% of enterprises reported more than 10 serious Web security incidents last year, up from just 5% the year before. Due to the sensitive and confidential nature of customer information and financial data, securing access of such information via the Internet is becoming a high priority for most enterprises today.

Technically, Web applications provide a tunnel between the Internet and an enterprise’s backend databases. As applications become available over the Net, they also provide an opportunity for hackers to enter and seize control of sensitive corporate and customer information sitting on back-end systems.

Hackers generally have the advantage since all they need is a single exploitable loophole to win the game. Although each application may possess unique application logic and support, they may be vulnerable to a common set of application-layer threats. Common threats to applications can be handled by “global” security settings. However, there is still a need to define per-application security rules.

Industry analysts are alarmed by the exponential increase in vulnerabilities found in Web-based applications that endanger customer information and critical business data. A recent Gartner study revealed that 75% of all attacks occur on Web applications.

Applications are business enablers, allowing people and programs to access the data and information that they need to perform their work. Because that information is often the target of an attacker, applications must be designed and implemented based on security requirements as much as they are based on functionality, performance, usability and quality requirements.

Currently, the universal trend is leaning towards the merger of scanning for network vulnerabilities coupled with rooting out application-level vulnerabilities. Virtually all Web applications processing confidential information utilize Secure Sockets Layer (SSL) encryption to maintain and protect data integrity during transmission. Although SSL security has become a linchpin technology for e-commerce, the single solution is not enough.

There are criteria that CIOs and IT managers have to keep in mind when choosing the right Web application security tool. Vulnerability assessment tools and Web application firewalls are the core components. An enterprise must also have an IT team with the technical expertise to administer these tools.

Vulnerability assessment tools are the foundation in solving security issues. Since hackers tend to use proxy and automated penetration-testing tools, Web vulnerability assessment tools essentially simulate the work of hackers. One of the most crucial elements of these tools is how quickly they can respond to new attacks and refine their application-layer defenses.

Web application firewalls are complementary to testing tools, addressing the security gaps limited by traditional firewalls as being able to prevent the exploitation of software security oversights. Indeed, applications rely on software that is not written by an in-house IT team. Once a tool discovers a security hole, the firewall provides protection until an application patch is deployed. Web application security mandates not only strong defenses against application-layer attacks, but also deep cloaking capabilities to mask the details of the application being surveyed.

Realistically, fancy tools are not enough. Just as hackers use tools and their expertise, companies need to train trusted experts to attack the applications themselves, followed by educating quality assurance staff who think like hackers. The best option is to outsource the testing of critical applications, and bring the expertise in-house to test the remaining applications.

Additionally, initiatives have been established by the industry to raise awareness of Web application vulnerabilities, for instance, the Web Application Security Consortium (WASC) is an international group of experts collaborating to define security standards for the Web.

According to an online survey conducted by IDC in early 2006, the majority of enterprises polled said that large security software vendors are quite innovative in providing customers with the best licensing and maintenance support.

Enterprise solution vendors today are proactively addressing the Web application security requirements of enterprises. Application delivery solutions combine the features and functions of traditional data center point products—load balancing, caching, compression, SSL acceleration, attack defense, SSL VPN—into a single network appliance, built from the ground up to maximize the performance and security of Web applications to ensure ease of use and management.

These solutions also protect Web applications from the growing number of application-layer attacks, as well as protect you from identity theft by securing confidential corporate information and sensitive customer data.

In a nutshell, top of line application security solutions maximize the performance and security of Web-enabled applications.

One of the companies benefiting from a top of the line security solution is Security Service Federal Credit Union, a US-based company. A company spokesperson stated that their deployment has multiple capabilities within one solution which increased its value significantly for long-term growth.

In the Asia Pacific, where the issue is fast becoming a concern for CIOs, it is expected that enterprises will be actively seeking help from Web application security solution providers.

The author is VP, Products and Managing Director, Citrix R&D India

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.