Security Watch

The Push for Application Security

When the same bugs keep cropping up, what's an application developer to do? Plus: Microsoft opens up about rootkit problem; ranking patch priorities; more.

Back in the olden times (read: the '70s and '80s), whenever kids at some schools got into trouble, they'd have to stay after class and write on the board what they shouldn't have done -- and would never do again -- over and over (i.e., "I will not use nostalgia as a lead-in in an IT security blog"). Some teachers called this punishment "writing standards."

Which brings us to this question: Should developers and application code writers, dogged by naughty malware, be made to stay after work hours and write standards?

Consider that a recent CWE/SANS list of the top 25 security coding errors showed that all the usual suspects in the form of security threats keep cropping up. And this week, the Open Web Application Security Project (OWASP) will release a list of the top 10 application vulnerabilities. Chances are, the two lists will look very similar.

So what's an application developer to do? OWASP's research gives some hints. Late last year, in preparation for its report, OWASP canvassed the IT community and found that some IT procurement pros, looking for greater security assurance, suggested that developers should write security parameters into applications before releasing them to purchasers, and that there should be indemnification language in vendor contracts.

The SANS Institute and others have joined the chorus, suggesting that standard contract language should be written into service-level agreements between application vendors and enterprise IT procurement functions -- something like, "I will, within reason, guarantee my app is safe from bugs."

Even the state of New York is soliciting comments on how to compose language for procurement, based on an assurance test that's yet to be determined. "Building security in at the beginning of development is an important factor in minimizing potential vulnerabilities," the state brief says.

Proponents maintain that this would give rise to security assurances at the application level, where security administrators and tech security gadflies are increasingly focusing their attention.

The Old Rookit and Kaboodle
Turns out the Alureon rootkit, which Microsoft is blaming for its recent "blue screen of death" issues related to a patch released in February, isn't new to Redmond.

According to Microsoft's summary, the rootkit had been identified as early as last summer. Microsoft describes it as "a family of data-stealing trojans" that "allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information" including financial data and password-username combinations.

Microsoft says the boot problem occurs because Alureon attempts to access a specific memory location rather than allowing Windows to determine it upon loading an executable file.

Ranking Patch Priority Is a Big Priority
In light of the increasingly hefty patch rollouts from Microsoft, Oracle and Adobe, one network security company has decided to simplify the process with what it's calling the "Patch Priority Index."

nCircle's Index, according to Director of Security Operations Andrew Storms, isn't meant to replace the guidance coming directly from Microsoft and the other vendors, but to give IT pros a sense of what's most important.

Setting priorities is a daily exercise in risk reduction with many variables that are constantly changing, Storms said.

"Due to the lengthy 30- to 60-day patch deployment cycle common to most networks, it's important to prioritize newly released patches against those still in the back log," he said in an e-mail statement. "The longer a patch is available and not patched, the greater the risk of exploit. nCircle's risk scoring system allows deployment teams to incorporate time into overall risk calculations by prioritizing new patches against all other patches from a specific vendor over the previous 12 months."

Cenzic Looks at the Clouds
Heads up: A spokesperson for Cenzic has revealed to me that the third-party security firm will be announcing the release of its self-service Web security platform, which Cenzic is boasting will be fully in the cloud.

What will make this unique, according Cenzic, is that the program also involves APIs for use through such notable tech vendors such as Citrix and XyberShield.

Anti-virus firms are also said to be in the mix, but Cenzic won't confirm that until its announcement, which is slated for later this week.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


comments powered by Disqus

Subscribe on YouTube