Experts: Application Security Is Key to Back-End Data Protection

NEW YORK --- Firms need to shift their focus from network to software security, particularly for source code and Web-based applications, if they want to protect their data and avoid an embarrassing data breach. This was the warning from users and security experts at an event examining cybercrime here last night.

"You realize that we will have to start using different tools to battle the enemy," warned Ted Schlein, a partner at venture firm Kleiner Perkins Caufield & Byers, during a panel discussion. "It's not your networking guys that can solve this problem, [you need to] get your engineers involved -- this whole approach could save your back-end storage."

With most firms lavishing resources on perimeter security over the last few years, hackers are increasingly targeting vulnerabilities in Web-based applications as a way to steal sensitive data on databases and back-end storage systems, according to the V.C.

"Data losses cost this country $180 billion to $200 billion a year," he told Byte & Switch, explaining that perimeter security measures such as firewalls are effectively bypassed by cyber-criminals. "It's a different set of rules and infrastructure -- corporate IT has not kept up with that [threat] because security is in the hands of the network operations people."

The New York-based Depository Trust and Clearing Corporation (DTCC), which provides clearing and settlement services for the financial sector, is already taking steps to address this challenge."We have a community of 'super developers' that are trained in security," explained panelist James Routh, the firm's chief information security officer. "We provide a lot of nourishment and support for that community."

Typical techniques used by hackers in software crime include cross-site scripting and SQL injection, which lets criminals access other people's log-in details by targeting vulnerabilities in software code.

Cyber-security expert Brian Holyfield of Gotham Digital Science, which runs vulnerability tests on firms' IT infrastructure, agreed that Web-based applications are a real Achilles' heel.

"This is a major threat," he said. "When we do penetration testing for our clients, 80 percent of the time we're getting in through the application, so you have to think that the real hackers are getting in 80 percent of the time, too."

The DTCC tackles this problem by running about nine different testing products on its software source code. These include Application Security's AppDetective for checking database vulnerabilities, and a tool from vendor WhiteHat for scanning Web applications."We started [this work] about three years ago because the threat trend data showed that applications are more commonly attacked than the perimeter," explained Routh. "For packaged software, we demand that the vendor provide us documentation of static code analysis, dynamic code analysis, and manual code analysis."

"Dynamic code" refers to software that is already up and running, whereas "static code" refers to software that is still very much at the testing phase. Routh told Byte and Switch that DTCC also uses a service from a company called Veracode to scan large volumes of code and highlight vulnerabilities.

Kleiner Perkins exec Schlein, whose firm invests in Fortify Software, which sponsored the New York event, said that responsibility for plugging software security gaps rests with both vendors and users. "Most of the software in the world does not come from vendors, it comes from the Fortune 1000," he said.

Despite the U.S. federal government's use of the Common Criteria security standard, Schlein thinks that Washington could also set a better example when it comes to locking down source code. "I would like to see a law that mandates that federal government would not purchase software from a third party, or produce software for its own use, that has not been given a security audit," he explained.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.