Put down the vendor white papers and turn down the volume on that webinar. If you want to secure your data and pass a PCI (Payment Card Industry) audit, take a look at the past — the long-ago past.
Between the ninth and 15th centuries, the castle was the Western world’s emblem of strength and security. It enabled small villages and towns to repel larger forces and defend what was important to them. That’s the same thing e-commerce companies must do today. Every computer system has to be ready to defend itself.
These days, we protect customer data, not the local nobility, and enemies don’t march to your gates — they can be anywhere across the globe. However, the biggest difference is that instead of thick castle walls, it’s your Web applications that stand at the front lines. Instead of feudal rules to follow, you have industry mandates, such as PCI compliance, HIPAA (Health Insurance Portability and Accountability Act) and SOX (Sarbanes-Oxley Act).
However, today’s Web applications are notoriously vulnerable. Nine out of 10 sites have at least one critical vulnerability, according to a March study by WhiteHat Security. As the hacking community — now a mix of organized crime, enemy nations and terrorists — shifts its focus away from the network and towards applications, businesses have to take a new kind of approach to defending digital assets.
Three lessons from the days of knights and castles still apply:
- Design with security in mind, and make sure your construction techniques don’t compromise your design.
- Building right is not enough. Active security defenses are a must.
- The job never ends. Staying secure means continual evolution.
Build for Security
James of St. George was responsible for the construction of at least 12 castles in Wales during the time of Edward I. If he were alive today, he’d talk about the importance of building something with security in mind. His castle designs had:
- As few entry points as possible;
- Multiple layers of defense; and
- Circular staircases, which by their nature, make attackers expose more of their body to the defenders.
If you’re building a Web application, what does this mean? First, it means you should design the application to withstand attack. Just as layered defenses helped contain breaches to one area, keeping distinct systems separate can ensure that, if one is breached, other ones are still safe.
It also means analyzing your applications to uncover weak points before attackers find them. Conducting automated source code analysis can identify vulnerabilities that could be exposed. As architects, security teams and developers work together to find and fix these flaws, and each group will learn more about secure programming. With more experience, they’ll start building secure code, capable of withstanding the attacks of today.
Create an Active Security Defense
Castles were built to give defenders countless lethal advantages:
- Arrow loops let archers hit a broad face of attackers while exposing minimal surface area.
- So-called “murder holes” were small slits that allowed defenders to drop hot oil on attackers below.
- High towers gave defenders the ability to see attackers and understand their game plan before a battle began.
At some point, every wall will be breached. That’s the case with castles and with cyber-security. Once you’ve built your application and it’s up and running, active defense mechanisms can help monitor activity and repel incoming attacks. While traditional perimeter security is handled with network firewalls and intrusion prevention systems, these solutions can only prevent people from cracking into your network or sending in viruses via e-mail.
However, you have to allow people into your network and onto your Web application. Once they’ve landed on your Web site, those perimeter defense mechanisms are no longer in play. You need active protection for the application itself. The most common line of defense here is an application firewall. However, even these solutions have their weaknesses. Their position outside the application results in relatively low accuracy, and configuring them often requires hiring a new person with expertise in security, operations and development.
A more successful approach is an internal application firewall, which strengthens the application from the inside. This type of solution will accurately monitor your application, letting you know how and when you’re being attacked. It also has the ability to successfully repel attacks. As a hacker begins typing malicious code into your application, this defense mechanism will be able to actively stop the onslaught. An application that isn’t coded with security in mind, and doesn’t have active protection in place, will allow an attacker to steal the private data of your customers.
Learn to Evolve
As methods for attacking castles changed, castles changed too. Square towers were converted to circular towers, so the attackers couldn’t collapse the towers by digging out a corner. With the advent of gunpowder, castles walls became lower and thicker.
Basic Web application scanning techniques — also referred to as “application penetration testing” or “black-box testing” — emerged around a decade ago. Over the last 10 years, we’ve learned that these techniques are not comprehensive enough to form the foundation of a good defense. The tools miss key parts of the applications, and they can’t see if private data is sent to insecure locations, such as a log file, an e-mail message or a partner site.
Attackers have evolved and are conducting more sophisticated attacks against vulnerabilities that can’t be detected unless you’re taking a close look at the code. As the owner of the applications, you have the advantage of (1) Knowing how you’re being attacked — assuming you have an application firewall in place — and (2) being able to build your applications securely and analyze the source code to make sure you’re protected against the newest forms of attacks. A thorough approach to security means secure design, secure development with source code analysis, verification with dynamic security testing, and an active defense like an application firewall.
The people who designed and built castles can teach us a lot about how to approach security. However, in some ways, they had it easy. Today, we can’t see our enemies and we don’t always immediately know when we’ve been breached. When defending a castle, it’s abundantly clear when you’re being attacked and when a breach has occurred. As a result, it wasn’t hard to justify expenditures on castles.
Today, we need to make a case for investments in security based on less tangible information. However, it’s a case worth making. Protecting your applications is now essential to business. If you need some statistics to help make the case, here are just a few:
- Applications are vulnerable. There has been a 44 percent annual growth in the number of vulnerabilities reported in major applications, according to a report by the Computer Emergency Response Team. Also, as referenced earlier, in a recent WhiteHat study of more than 600 public Web sites, nine out of 10 had a critical vulnerability.
- These vulnerabilities are being exploited. In 2005, Gartner reported that 75 percent of breaches are due to vulnerabilities in software. During the last six months of 2007, there were 11,253 site specific cross-site scripting vulnerabilities reported on the Internet, and only about 4 percent of them had been patched, according to a Symantec report.
- The number of breaches is climbing.The number of breaches has grown at an average rate of 67 percent over the last two years, according to the Identity Theft Resource Center, which also reported that 212 million records were exposed during 2005, 2006 and 2007.
If the above doesn’t help, try bringing a picture of a besieged castle and saying “this could be us.” The castles that didn’t take the threat of their day seriously, or implemented the minimal amount of security, were overtaken by a smarter and more determined enemy. The situation is the same today. Too often, companies adopt only a base level of security. They do just enough to pass PCI compliance and they think they’re secure. Hannaford Bros. — a supermarket chain in New England — passed its PCI audit and then got hacked, losing more than 4 million records. The bad guys today are determined and well-funded. The black market for identities is thriving and fueling the hacker community, which means the attacks are only going to get more sophisticated.
Whether you’re a castle architect or an e-commerce security professional, getting breached is a painful process. At the end of the day, you probably don’t have a job anymore. Thankfully, in today’s times, you at least still have your life.
Brian Chess is founder and chief scientist at Fortify Software. Taylor McKinley is product marketing manager at the company.