Securing Web Apps: Build Then Patch or Rebuild From Scratch?

In the early days of business computing, data was shipped from corporate locations to a central server. To spare enterprises the hands-on control of the process, third-party service providers handled the freight. Today, that same business model for massive off-site data storage and application delivery has a more nebulous name: cloud computing.

A new name, larger server farms, often unknown locations of the so-called clouds -- the process is almost like online banking, where you never actually visit a physical location to check on your deposits and make hands-on cash withdrawals.

Cloud computing entails more than mere long-distance data storage, however. It also involves the use of Web-based applications that come from someplace beyond a corporate server. Cloud computing, in addition, can carry with it a security risk.

For the cloud customer, it's often been understood that the service provider and the application developers take care of safeguarding customers' data. However, too many major data breach disclosures in recent years have fueled worries about data security.

These security concerns are no longer small worries for companies that trust their computing integrity to the clouds. Web application security concerns have become the basis of an ongoing debate for which no clear winning argument has yet resulted.

Developers with an eye on security say the only way to eliminate vulnerabilities in Web applications is to build them from scratch rather than apply code fixes and third-party security layers to existing applications. However, a major industry of security products has grown around different ways to plug the security holes found in Web apps, adding justification for the legitimacy of the build-it-then-secure-it philosophy.

"Building from scratch is no silver bullet. Developers have to face the security problem the way it is," Mandeep Khera, CMO of Cenzic, told TechNewsWorld.

Debate Parameters

The build-it-from-scratch approach is the stance taken by an industry group known as the "Open Web Application Security Project" (OWASP). The group offers a toolbox of kits and sponsored projects to help IT workers and app developers find and fix security holes.

"It is critical that program developers build security in. The problem is that most apps already in use are in maintenance mode. Existing apps need to be tested," argued Khera.

Not everybody buys into that argument. By the time companies invest in a product and have it in use throughout an organization, it is too costly to deal with a hunt for security holes. Many companies cannot take the time, effort and risk of taking their must-use applications offline.

"I don't agree that we need to start over and 'build' from scratch. I am confident that Web and more importantly application-based protection will be a driving technology for many enterprises. They can't control what's going on within the cloud, but they can certainly protect the data that is being passed back and forth," Ken Pappas, president of True North Security, told TechNewsWorld. .

What to Do?

For companies using a legacy Web app, a Web application firewall (WAF) could be the alternative to the build-it-from-scratch strategy. This is an appliance, server plugin or filter that protects the data processed by the Web app by applying a tailored set of rules to traffic entering and leaving the application.

The rules provide protection against specific types of data attacks. For instance, the WAF can identify and stop cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. However, WAFs are not set-it-and-forget-it tools. They must be customized and maintained as the Web app is modified.

The alternatives seem cut and dry choices. If users or Web app providers question the security of the product, they can replace it or bolt on a stop-gap measure like a WAF. However, the better solution might very well be doing both. That's the middle ground suggested by the PCI Security Standards Council.

"The answer depends on how critical the app is for the owner. Sometimes doing both is the only real option for security, especially for a large organization," Georg Hess, CEO and founder of Art of Defence and OWASP member, told TechNewsWorld.

Too Little Too Late?

It is somewhat odd that the computing industry is only now focusing on better security as enterprises turn to Web applications. Perhaps the growing prominence of cloud computing in business will put better security measures in place.

"Many companies for several years now have been utilizing this technology [Web apps from the clouds] without thinking of the security ramifications. Take for example Salesforce.com (NYSE: CRM). This Web-based application and the company's data have been passing a public network infrastructure for years with little to no concern regarding data security," alleged Pappas.

The industry is entrenched with the business practice of Web-based applications and data that reside elsewhere beyond its corporate walls, he added. Even worse, the industry is facing a chicken-or-the-Egg mentality when it comes to Web app security and cloud computing.

"Really now, are businesses concerned with the concept of cloud computing or the fact that applications are Web-based? What should be most important within enterprise networks is the fact that [it] is their data that transverses and is stored outside the glass house," he warned.

What's Needed

Cloud and Web-app providers need to build tight network and data protections within their infrastructures, Pappas said. Until then, it will be too risky for any company to leave its assets at a third-party premise.

Another alternative is to fix what is broken and move on from there, advised Khera. Doing so will involve a two-step process to close the holes in any application.

The first step is finding the holes before the job becomes the equivalent of patching the roof to keep the rain out. The second step is prioritizing the timeline for patching the most critical holes found.

"The issue is too important to ignore. Until all the holes are plugged, the application is vulnerable," he cautioned. "You can't avoid the process. The timing is critical."

Starting Point

Perhaps the ideal place for the built-in security process to begin is with the app developers themselves. For that to happen, developers need to consider the software shelf life, according to Hess. Still, more is involved than just shelf life.

"An application is not done with the first version. But code writing expertise is needed for a company to review the security reliability of Web apps. The process has to start with the application developer. It is not common to see schooling in Web security," said Hess.

That is one of the major reasons for the current security troubles -- too few have skills in security. A general lack of education in security is at the root of the problem, he said.

Playing Catch Up

"It takes both time and money to build secure apps. That's the challenge," Hess said.

From a security perspective, it is actually better to have some methods for checking security of the code in the development phase. However, most of the industry is not yet there, Hess complained.

Developers that rush their apps that were in production yesterday expose companies that use them today to new attack vulnerabilities. Developers need some reaction time to fix security holes, he noted.

Then they need a timeframe to deploy patches. This process of deploying patches can take from two to four weeks.

That brings the debate full circle. With the Web application firewall in place, companies running a hole-ridden cloud app will be able to bolt on a stop-gap measure of security and possibly forestall a damaging data breach.