How iPhones Should Change Your Thoughts on Web Application Security

I'm sure that many of you saw the recent announcement from Apple. No, not the one about their iPhones finally being available. (I love new toys but I'm holding off on that one for now.) I'm talking instead about Safari now being available on Windows. Having a Mac at home I, of course, had to immediately download and play with it. It works about the same as the Mac version: clean resolution, quick speed, Mac feel. Unfortunately for Apple, it's not enough to pull me away from using Firefox. I won't go into all the details of why Firefox is better. Instead I'll leave that to someone else; check out the side-by-side comparison by Percy Cabello on Mozilla Links (http://mozillalinks.org/wp/2007/06/feature-by-feature-firefox-vs-safari/)

I'm also sure that those of you who saw the Safari announcement also saw the security alerts that came out shortly afterwards. (http://www.networkworld.com/news/2007/061107-safari-for-windows-released-and.html and http://www.securitytracker.com/alerts/2007/Jun/1018282.html to name two) While it is to be expected for beta software, for software from such a public profile company as Apple and for software with the claim of "designed ... to be secure from day one", it shouldn't have happened quite that fast. It goes to show that you're never as secure as you think you are.

Anyway, I digress from where I was originally trying to go. With the introduction of one more serious browser client out there, it becomes that much more apparent that web applications will need that much more work. Whether you're designing in the latest Web 2.0 functionality or simply updating a new module, you now need to be testing against one more browser. You might think that simply following HTML standards would be good enough but consider the different methods of presenting data used by Safari, Firefox, IE, and Opera. Then throw in the different Operating Systems for each. And then consider all the handheld devices which are now accessing web sites: Blackberries, Treos, iPhones. Users now have a ton of different methods to access your web application. And if you aren't prepared for all these choices, then someone is going to be able to use different devices to gather info about your web application and then use that info to find a vulnerability.

To a degree the method of access shouldn't matter. However if you are only testing your web application with IE on Windows, you might want to consider including something else.

- Mike Kazmierczak, Cenzic, Inc.

HP follows suit by gobbling up SpiDynamics

As expected, HP announced the acquisition of SpiDynamics today. Another huge validation for the Application Security space. Finally, companies are realizing that with 75% of attacks occurring at the application layer and 7 out of 10 applications vulnerable, there's a drastic need to take action. Large companies like IBM and HP realize this tremendously upward movement and want to get ahead of the curve to meet the customers needs. HP had been in conversation with Spi for the last couple of months and plans to integrate Spi's products into the Mercury quality assurance suite.

While integrating security testing with functional testing is important (note: Cenzic has already integrated with Mercury and Borland), we believe that for customers it's not a good solution if the security product loses its identity completely for a number of reasons. First, customers like best of breed products. They don't want to buy Mercury just because they want security testing. Secondly, most of the testing and buying is still taking place at the Chief Security Officer (CSO) and the InfoSec group levels. This organization is typically separate from Development/Q.A. organization. Not having a stand-alone product can severely hinder Information Security group's efforts. Finally, about 99% of the applications are already in production and until they go through new development, some one still needs to test for security and find vulnerabilities.

People are asking us if Cenzic is next in the acquisition train. Frankly, we are focused on building the business and continue significant enhancements to our risk-management solutions. We will always be open to strategic relationships with security vendors like Cisco, Juniper, Symantec, McAfee, Verisign, and CA or ALM vendors like Compuware, and Borland, that help enhance value for the customers. Our motto continues to be - Superior Solution, Superior Service. Stay tuned.

- Mandeep Khera, Cenzic Inc.

Impact of IBM Acquisition of Watchfire

As the announcement of IBM acquisition of Watchfire hit the wire on Wednesday, June 6th, there was a lot of buzz going around in the media about the impact of this acquisition. I have provided some of the links from these articles below. Many reporters and security executives have asked me about my thoughts on the topic which I would like to share here as well.

First of all, I think the acquisition is a big-time validation for the application security space. It also means that more and more companies are getting serious about application security. However, application security still has a long way to go. As far as the impact on the existing Watchfire customers, we'll have to wait and see. From all the indications so far, it looks like IBM will suck Watchfire product Appscan into its Rational suite. This can't be good for Watchfire customers because there won't be a standalone product and IBM will not focus on enhancing the security functionality in the product. It'll become just another feature or Rational quality testing suite.

We also believe that there's too much hype about integrating security testing tools into Software Development Lifecycle (SDLC). We agree that's important to test early in the development lifecycle. However, with all this people, companies are starting to focus only on the new applications as they develop. What about the remaining 99% of Web applications that are already in production?  A good analogy is the anti-virus products where anti-virus scan can be run before OS and other software are installed on the desktop but most of the testing occurs after the user starts using the desktop.

Cenzic believes that companies need to take a holistic risk-management approach. Find out how many apps you have and at what stage, find out who owns those apps, track when those apps were tested and how often, understand what's still vulnerable, and at the management level create metrics to understand the security posture of the company and monitor on an ongoing basis. This is not about ad-hoc testing of a few applications just to get a check box item crossed. This is about protecting your brand and your customers.

We are sure there'll be more consolidation in this space as various Application Lifecycle Management (ALM) vendors (HP, Compuware, Microsoft, and Borland), Security vendors (Symantec, McAfee, Verisign, and CA), and Infrastructure vendors (Cisco, Juniper, Citrix, and many others) need to add similar functionality to their portfolio. We just hope that the customers will push their vendors to offer combined solutions that are more holistic rather than a point solution as part of a development suite.

Whatever the solution, companies need to start testing applications for security vulnerabilities NOW. We have a catastrophe waiting to happen based on what we saw in Cenzic's first Quarterly Trends Report (download from http://www.cenzic.com) - 7 out of 10 applications are vulnerable, about 70% of total vulnerabilities are application related, and over 75% of attacks happening at the application layer - a recipe for a disaster for the Commercial and the Government sectors.

News stories from IBM/Watchfire deal:

http://www.computerwire.com/industries/research/?pid=53971D9D%2D84F3%2D4D7B%2DAFCF%2DB26EC2D93CAA
http://www.onstrategies.com/blog/?p=198 http://www.scmagazine.com/us/news/article/662742/ibm-keeps-mind-security-watchfire-buy
http://www.infoworld.com/article/07/06/06/IBM-to-buy-Watchfire_1.html
http://www.networkcomputing.com/showArticle.jhtml?articleID=199902344&queryText=watchfire+cenzic
http://www.internetnews.com/bus-news/article.php/3681766
http://www.computerworld.com/blogs/node/5652

Mandeep Khera, Cenzic Inc.