Thursday 3 September 2009

Declaring war on easily attacked applications

Today is the 70th anniversary of Britain’s declaration of war that brought them into the Second World War. With news of yet another business application being poorly defended allowing its database to be attacked we should declare war on poorly written applications.

In the Sears.com case, it was very poor application design which made the attack possible. Foolishly, the functionality that is meant to protect the web-application was deployed in the least trustworthy of locations, the “customer’s” web browser. On the internet, “customers” and “attackers” are indistinguishable. As Sears.com has no control of the “attacker’s” browser it has not reason to trust that this inadequate security control mechanism will not be altered, tampered with or completely disabled.

Further poor practice meant that there was no independent monitoring or enforcement system that prevented or even alerted the strange behavior of a massive increase in certain functionality that allowed a “customer” to “stage a brute-force attack that could grab all valid, active Sears and Kmart gift cards from the company's database.

What should organizations do?
1. Raise the level of software engineering so that secure development processes are embedded in all application development.
2. Test, test, test, test, and re-test the application for vulnerabilities. Remember, these are vulnerabilities that are in applications that your developers wrote – not just operating system or platform component vulnerabilities.
3. Put monitoring and enforcement systems in place to fully understand what normal usage patterns are for the application and ensure that real-time policies can prevent unwanted behaviors.

Finally, organizations should make an open declaration of war on poorly produced and operated applications!