Author: admini

This article highlights both technical and business trends in web application security.

Traditionally, vulnerability analysis (and its management) has been focused at the network or operating system level. Trends are leaning towards merging the ability to scan for network vulnerabilities and application-level vulnerabilities together. The goal in this merging of network and application vulnerability analysis is the ability to use data found from one level and drive a more focused approach for the other level.

Another key area where we will see more integration is in the area of network management consoles. Currently, most consoles are geared towards soliciting network device information (e.g. firewalls). On the network side, consoles can be set up to attach patch management solutions to notifications of problem detection. However, many web applications are proprietary and thus unique to a particular customer or department within a large corporation.

Mercury Interactive, a major player in automated testing tools, recently announced partnerships with some leading application security testing companies that provide an integrated solution between Mercury’s testing products and the vendors’ application vulnerability detection tools. Some vendors have created development tools for enhancing code security, but to date, sales of these tools have been relatively poor. In addition, most of these code scanning tools are unable to provide complete application awareness and can only focus on a specific module of code.

This has started to prompt some awareness in the developer community. However, it is still too early for application tools to incorporate sophisticated integration, as web application security analysis still lies primarily in the hands of security professionals such as penetration testers, QA engineers, and auditors.

While no formal direction has yet been established, industry trade groups, such as the Information Technology Association of America (ITAA), are anticipated to start providing guidelines for web application security for offshore code.

With the rise of cross-site scripting (XSS) attacks, tools are still only focused on inline detection (the ability to attack and detect success in the same process). Complexities yet to be tackled include performance (as large amounts of data from the web application and user input need to be stored and referenced with each new interaction) and accuracy (by reducing false positives). For example, some large financial organizations have recently had issues with cross-frame scripting (XFS), a particular type of phishing attack that poisons a single frame in a page. While web services has been very slow in mass adoption, some users have sites and online applications that depend on web services, and therefore have an urgent need to test for web services vulnerabilities.

For the most part, vendors in this space have focused on simple detection techniques such as XML (malformed) schema based attacks and applying known web application vulnerabilities in non-XML applications to XML applications. This generally involves the ability to write scripts to address new and cutting-edge vulnerabilities. Vendors have been using scripts that use languages ranging from ones that look like Visual Basic to JavaScript and Nessus’ NASL language.

For the immediate future, most well-defined tools will choose multiple script languages to incorporate open source tools as well as proprietary methods.

Another area poised for substantial increases in effectiveness is the ability to handle testing of client-side technology for web applications.

Some of the more prominent standards include the Application Vulnerability Description Language (AVDL) and Web Application Security (WAS), which are both XML-based standards.

http://www.securityfocus.com/infocus/1809

But now employers are going further than ever, thanks to technology that can capture e-mail and instant messaging conversations, or record a worker’s every keystroke. Websense, a maker of Internet monitoring tools, has seen its stock price nearly double in the last year, though it saw some gains erased late last week. Other top players in the market include SurfControl and Secure Computing.

“I think all these companies are seeing great demand,” said Katherine Egbert, an analyst with Jefferies & Co. “Lately, regulatory compliance issues, and deadlines for meeting those regulations, have been driving sales.” The regulatory factors include financial reporting rules under the Sarbanes-Oxley Act and health care privacy mandates set forth in the Health Insurance Portability and Accountability Act, also known as HIPAA. Liability concerns regarding employee e-mails and IMs are also on the rise, as lawyers increasingly turn to computer records as evidence in sexual harassment suits and other legal actions involving the workplace.

Even tech luminaries, such as Microsoft Chairman Bill Gates, have used corporate networks to send e-mail that proved embarrassing in court.

“Productivity is a concern; loss of confidential information is still a concern; security breaches are a concern. Employers are afraid of being sued,” said Nancy Flynn, executive director of the ePolicy Institute, which, together with the American Management Association (AMA), recently published a survey on e-mail and IM surveillance in the workplace. “In almost every workplace lawsuit being filed today, e-mail is being subpoenaed as evidence,” Flynn said.

“IM will soon be subpoenaed on a regular basis as well.”

Aiming at IM According to the ePolicy-AMA survey, 60 percent of U.S. companies now use software to monitor incoming and outgoing external e-mail, while 27 percent of employers use software to track internal e-mail between employees. By contrast, employers have been relatively slow to monitor instant messaging, with just 10 percent of companies surveyed indicating they have taken steps to listen in on desktop chat. “Employers think IM is an emerging technology and they don’t have to monitor it yet,” Flynn said. “But if they have employees in their 20s, chances are (those employees) probably have been using IM since high school and view it as old technology.

And if a company doesn’t provide enterprise IM, (workers will) probably go out on the Internet and download a free version.”

IM giants America Online and Yahoo launched plans two years ago to offer corporate versions of their IM products, promising better security, along with regulatory compliance features not found in their free versions. Both have since scaled back those plans, but other companies have stepped in to fill the void, including industry titans such as Sun Microsystems and IBM, which are embedding their own IM products into their existing applications, and smaller companies such as IMLogic, FaceTime Communications and Akonix.

“Industry estimates say that by the end of 2005, IM in the workplace will surpass e-mail in the workplace,” Flynn said. “IM is coming on fast, and given that, employers need to take the necessary steps now with their policies and monitoring software.”

Monitoring software downloads is a top issue as well, industry observers and legal experts say.

In 2002, an Arizona company paid $1 million to settle a lawsuit with the recording industry that charged copyright violations involving MP3s stored on the company’s computer systems.

Customers such as PepsiCo and Ford Motor use Websense software to track and report employee Internet usage, block access to some Web pages, and set temporary access windows that limit the times some sites are available. Many corporations have adopted policies banning file-swapping software in the office and installed network traffic management software to track down potential violators.

Despite hot prospects, the industry has not seen a flood of new players. Instead, it has seen a rise in consolidation, particularly this year, Jeffries analyst Egbert said. Among recent deals, Blue Coat purchased Cerberian, CyberGuard acquired Webwasher, and Internet Security Systems bought Cobion.

Courts have generally found that employers have the right to monitor equipment that they own on their premises, including telephones and computer systems. Nevertheless, laws surrounding the monitoring of employees’ electronic communications are not as cut-and-dried as they appear, legal experts say. The law, on the face of it, looks like it’s illegal. But the courts have ruled that viewing stored e-mail is not considered a violation of the wiretap laws,” said attorney Philip Gordon, chairman of the privacy practice group for law firm Littler Mendelson. In one U.S. Court of Appeals case, the court further detailed how it is only considered a violation of the Wiretap Act if an e-mail is intercepted while it is traveling through the network pipe and is between two points.

http://news.zdnet.com/2100-1040_22-5423220.html?part=rss&tag=feed&subj=zdnet