[ISN] 'Penetrate and patch' e-business security is grim

From: InfoSec News (isnat_private)
Date: Thu Feb 21 2002 - 01:59:27 PST

  • Next message: InfoSec News: "[ISN] IDefense in Talks for Buyer"

    By John Leyden
    Posted: 19/02/2002 at 20:05 GMT
    Application security flaws introduced early in the design life cycle
    are giving rise to easily exploitable defects that can readily be
    That's the main conclusion of an evaluation of 45 e-business
    applications by security consultancy @stake.  It says the current
    state of application security is "grim".
    @stake found that nearly half of application security defects - 47
    percent - are both readily exploitable and could cause significant
    loss of reputation or customer revenue, but the defects were entirely
    preventable. The consultancy found that the best-designed e-business
    applications have 80 per cent fewer security defects than the worst.
    A selection of wireless applications, off-the-shelf packages and
    Web-transactional apps supplied by @stake's clients were put through
    their paces during its security evaluation.
    The methodology involved a code review; a look at the architecture and
    design of applications; and attack simulations. As security testing
    was carried out under non-disclosure agreements it is unclear when
    issues will be highlighted to the wider community.
    @stake's testing reveals some worrying trends in application
    These include insufficient rigour in checking user input, a problem
    that can give rise to buffer overflow attacks, and a lack of secure
    authentication and access control features within applications. User
    session security proved to be the "Achilles heel" of many of the apps
    Nine classes of common security flaws can make applications insecure,
    according to @stake's research. These are: administrative interfaces
    authentication/access control, configuration management, cryptographic
    algorithms, information gathering, input validation, parameter
    manipulation, sensitive data handling and session management.
    Avi Corfas, vice president for @stake in EMEA, said the problems are
    more to do with the way applications were designed rather than the
    platform they run on. Somewhat controversially, he claimed 70 per cent
    of the problems @stake identified were in their design and only 30
    percent were in implementation.
    Anecdotal evidence from other security consultants suggests the vast
    amount of security risks is caused by incorrect implementation, for
    example the interaction between applications or how applications are
    installed. That's to say nothing of failure to apply patches, of
    course, which @stake points out would be far less of an issue if
    developers addressed security problems early in the design process.
    "Many companies treat security as 'penetrate and patch' rather than
    employing secure software engineering practices that would have
    produced a safer application from the start," said Andrew Jaquith,
    program director, @stake.
    In order to benchmark application security best practices, @stake
    compares and contrasts the top and bottom performers in its study as
    measured by business risk.
    The six areas that differentiate the best from the rest are: early
    design focus on user authentication and authorisation; mistrust of
    user input; end-to-end session encryption; safe data handling;  
    elimination of administrator backdoors; mis-configurations and default
    settings and security quality assurance.
    [Related link:  
    http://www.atstake.com/research/reports/atstake_app_unequal.pdf ]
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 05:06:55 PST