Rise of BotnetsBy Elizabeth Millard | Posted 2008-10-29 Email Print
Software as a service may be on the rise, but so are security threats targeted at loopholes in application code. Here are some application security strategies from industry experts, with a closer look at one area not generally associated with security and information technology management--insurance.
The Rise of Botnets
One of the most damaging threats that enterprises faced this year was the emergence of mass SQL injection bots, which ended up compromising hundreds of thousands of sites, says Ryan Barnett, director of application security at Breach Security, and a SANS Institute faculty member.
By using compromised home systems to create a botnet army, attackers can send out instructions by using specially-crafted SQL code, and the end result is that any Web page that dynamically includes data will include malicious code, Barnett notes.
In order to combat this specific issue, enterprises need to make sure that Web application code is updated to utilize proper validation checks, Barnett adds: "All user-supplied data should be verified to ensure that it matches the expected size and character sets, and anything outside of the specific ranges should be rejected."
Also useful is a Web application firewall that should be deployed in production, he says, which can not only protect Web applications but also help identify and block any sensitive information leakages that might result from successful compromises.
Another Web-centric concern is plug-ins, adds Holly Stewart, X-Force threat response manager for IBM's Internet Security Systems. "A lot of plug-in vendors are small, and they're not used to having to provide fixes for vulnerabilities," she says. "This complicates being able to patch." Her team has been monitoring exploits in the wild, and she notes that four out of five are related plug-ins.
For companies using SaaS, there's some protection from all the Web app threats, but experts don't think that CIOs should get too comfortable.
"It's difficult to determine if the security offered by a SaaS vendor is sufficient, because they generally do not allow their customers to conduct security assessments on their services or infrastructure," says Arce.
On top of that, many SaaS vendors provide few details about their security policies for incident handling, patch management, or application development, he adds. That makes it more difficult to measure the true security risk of adopting SaaS initiatives.
"By aggregating the data and information processes from all their customers in just a few centralized organizations without strict compartmentalization, SaaS vendors may become both targets of opportunity for generic attacks and high-yielding targets for directed ones," notes Arce.