Case Study: The Falling Stock of Appsec

May 5, 2009

Jamie Rockhill* is the director of information security at DG&S, a medium-sized Manhattan-based financial services company. In the past twelve months some of the firm’s largest clients have either been acquired or have filed for bankruptcy protection. Although not as hard hit as some of their Wall Street peers, DG&S is anticipating a 20% loss against previous year’s earnings. The firm is facing a major restructuring and there is an across-the-board freeze on any training expenditures or major IT projects. Indeed, any expense over $1,000 requires Executive VP sign off.

Traditionally, DG&S did not pay much heed to information security apart from standard practices such as patch management and installation of anti-virus on corporate machines. All that changed when 2,000 high-profile customer records were stolen from their competitors at Finicor Investment Services in late 2007. Worried that they too would suffer a breach, DG&S hired Jamie to augment their IT security practices. Of course, that was before a tide of bad news hit the American financial industry in late 2008. Now Jamie’s been left with a mandate to protect the organization’s data (a priority which still stands, as the CEO recently reminded Jamie) with no appropriate increase in spending.

Although DG&S maintains a relatively low public profile, it is well known in the financial industry and may be an ideal target for online thieves. Jamie is especially concerned that firm’s three extranet applications developed in ASP.Net are vulnerable to web application security attacks since they haven’t undergone any security testing or hardening procedures.

Jamie’s concerns were only heightened after a conversation with the company’s lead software engineer:
“Steve, have you or anyone on your team thought about security during the development of these apps?”, Jamie inquired.

“Security? These apps are made for our business partners — not the general public. We have more pressing concerns” came the curt reply.

“That may be, but they’re exposed on the Internet. It’s just a matter of time before somebody uses them to break into our systems!”, Jamie responded, visibly agitated.

“Good luck securing them. This is Wall Street buddy, we need to get our apps out ASAP before the guys across the street do, otherwise our firm stands to lose big-time, meaning both you and I will be out of jobs. I don’t have any spare time to waste on adding features or doing analysis outside of the core functional requirements”.

As angry as he was, Jamie knew that Steve had a point: time-to-market is of the essence to DG&S developers and it’s even more important as the company has to fight harder for client dollars.

Still, leaving the apps at status quo is asking for disaster. So far, Jamie has been able to keep the company away from danger thanks to complex filtering rules in the Intrusion Prevention System. He had also heard that ASP.net applications are more secure out of the box than PHP or Java web apps. He’s also toyed around with the idea of deploying a web application firewall although he’s heard that they are generally better as a short-term stop-gap measure.

If you were in Jamie’s position, what would you do?

*: All names are fictional and are generated from http://www.kleimo.com/random/name.cfm

Jason Lam’s Response

Information security is about effectively managing risk in the organization and
the role of a security professional is to advise and assist the management of
risk. In Jamie’s shoes, I would first estimate the cost of one single
incident based on previous incidents in similar organizations and the
likelihood of an incident happening. Armed with this information, I would then
approach the senior executives in the company to explain the risks and the need
to lock down the applications. Security has to come from the top of the
organization. Starting from the highest level is the prudent route to take.

The argument from management is often, “It’s not going to happen to us.”
This is an easy one to tackle given the recent security related incidents in
the financial sector. Hard dollar value is usually very persuasive, the stock
prices affected by security incidents and also some of the public announcement
of incidents can quickly reveal the real cost. In the financial sector, PCI DSS
requirements now include application security requirements, so it is hard to
deny that it is an essential part of security. Prudent executives want to
control costs that will affect current and future business. The pressing needs
to secure applications clearly affect the company’s future, especially when
the reputation of the firm is at stake. Once the need to lock down the
application is established with executives, the funding should come with ease.

As far as the approach to locking down the application goes, there are various
options and approaches to take. If the internal security capability is strong
then a quick security assessment of the application with strong focus on
critical vulnerabilities such as OWASP Top 10 can help identify the weak point
of the application and get the developers started on the right path to fixing
the application. If skillset is lacking in the organization, then external firm
help may be necessary. Jamie should be frank with the firm on the budget
concern and the goal of locking down three business partner facing application.

A competent firm should be able to work out an effective plan for Jamie.
If fixing the application is absolutely not an option, then maybe a Web
Application Firewall (WAF) is a good choice. Most WAF devices are very
affordable and relatively easy to deploy. WAFs can do a decent job at stopping
about 50%-60% of the vulnerability, effectively reducing the vulnerability
surface. Jamie should keep in mind that there are still risks even after a WAF
device is in use and it is never a long term replacement to a full code fix.


Jason is a senior security analyst at a major financial institute in Canada. He is also an author and instructor for SANS Institute, mostly focusing on web application security and malware threats.

Nish Bhalla’s Response

Letting the applications go out on the Internet without any testing would be
like burying your head in the sand. Due to business requirements and lack of
time or knowledge, this is the unfortunate reality that many organizations face
today. Once, however, organizations realize the impact of the potential issues
(like DG & S), they end up hiring someone like Jamie to help reduce their risk.

There are two major security concerns with any application going live on the
Internet: 1) The security risk associated with exposing the data held by the
application. For example credit card data or other Personal Identifiable
Information (PII). 2) Other vulnerabilities within the application that could expose other components of an organization’s infrastructure.

Assuming that DG & S has neither application nor data classification ratings,
Jim should try to understand the type of data this application holds and the
security controls that are implemented in the applications. This process will
help him to understand and ultimately justify the costs he should spend on
securing the applications.

To understand the risk classification of the applications (i.e. high, medium,
or low), Jim should attempt to perform a high-level risk analysis on the
application. He can perform this analysis by not only spending some time
understanding the application by browsing it, but also interviewing the
business analysts, the architect and a senior developer. Some of key controls
he should try to understand are:

  • If the data held by each application is considered highly confidential,
    confidential or public.
  • How the basic security
    controls such as Authentication, Authorization, Log management and Encryption
    (in rest/in transit) are being managed by the application.

Based on this information, Jim can understand which of the applications
would be considered a high risk, medium risk and low risk for his environment.
After understanding this, he should then decide to either perform an
authenticated Health Check or anUnauthenticated Health Check. If he has the
time and skill-set required he should perform the assessment himself, otherwise
he should consider bringing in external help. One of these approaches would
give him the best value for his money.


Nish Bhalla, the Founder of Security Compass, is a specialist in product, code, web application, host and network reviews.

Previous Article
The True Danger of XSS and CSRF
The True Danger of XSS and CSRF

In our one-day training classes and conference talks we make judicious use of videos to demonstrate concept...

Next Article
Welcome To Seccom Labs
Welcome To Seccom Labs

Welcome to Seccom Labs, our site dedicated specifically to helping developers, architects, testers, and eve...

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!