|
|
|
Features
< Back
Sarbanes Oxley : Technology : Security
Application Security and Sarbanes-Oxley Compliance
By
Brian Cohen
|
|
Brian Cohen
President and Chief Executive Officer
SPI Dymanics
|
Section 404 of the Sarbanes-Oxley Act (SOX) mandates that the executive management of publicly held companies must evaluate and report on the effectiveness of their internal controls over financial reporting, and have independent auditors substantiate the effectiveness of these controls. These controls also encompass the IT operational processes and application software that support a company?s business.
Rapid access to current information is essential for any competitive business. Organizations worldwide are under constant pressure to provide the latest data to authorized users, regardless of where those users may be located. And thanks to the World Wide Web, global information access can be as easy as connecting to the Internet. Unfortunately, easy access also includes risk; the possibility that unauthorized users may gain access to confidential information. If they do, whether the unauthorized user is viewing or changing the data, it is likely that such a breech of confidentiality also results in failure to comply with SOX integrity and control requirements.
In this article, we will discuss the emerging trend to provide access to information through web enabled applications (web apps), the inherent risks in doing so, and what you can do to ensure that your web apps are secure and SOX compliant. But first, let?s take a look at why the trend toward expanded use of web apps is accelerating, and why it?s likely to continue for some time.
More than forty years ago, large organizations began to incorporate computers into their business processes. Mainframe computers, operated predominately by engineering professionals, accelerated the ability to crunch numbers and launched the information revolution of the last half of the twentieth century. Data was centralized within the corporate data center, and information was distributed in the form of reports.
During the ensuing forty year period, numerous innovations have improved our access to timely and accurate information. Of these, three in particular stand out as truly disruptive technologies: Technologies that have fundamentally changed the way we conduct business. They are:
• The personal computer
• The Internet and the World Wide Web
• Widespread broadband communications availability
Personal computers provide a desktop computational and display capability that is essential to any business. PCs permit users to manipulate data, in a local setting, to suit their specific requirements. The Internet, and particularly the World Wide Web, provide a standardized set of protocols and interfaces for accessing information. Broadband access accelerates the flow of information from point-to-point so quickly that data appears to be ?virtually local,? allowing data to be stored centrally yet accessed globally.
Now, let?s look exactly at how these three innovations combine to offer unprecedented information availability:
General Business Corporation (GBC), a fictitious multi-national manufacturing firm, has more than thirty locations spanning three continents. Each GBC division reports financial results on a periodic basis, and the data is aggregated and stored centrally at GBC?s London headquarters. Corporate executives have access to the financial data, based on their respective authorization levels, which allows them to stay up-to-speed with the latest developments. Access to the data must be controlled, as GBC is a public corporation and must ensure that financial results are only disseminated at certain times and based on regulatory requirements.
To meet this business requirement, GBC implemented a web app for financial reporting. From any Internet connected PC, authorized GBC personnel can launch the Internet browser on the PC, type in the specific universal resource locator (URL), e.g. www.gbc.com), and connect to GBC?s financial application. They can then view and/or manipulate data, which can then be viewed or manipulated by other users that have proper authorization. GBC?s financial reporting application is fundamentally dependent on all three of the key innovations cited above; 1) a PC is used to view and manipulate data locally, 2) an Internet connected web browser is used as the standard rendering and processing environment upon the PC, and 3) high speed broadband communications permits the application to run at an acceptable speed, despite the fact that information is stored in multiple locations.
Of particular note is the use of the web browser (e.g. Microsoft Internet Explorer) to execute the application upon the PC. The web browser provides a powerful and predictable critical desktop component for the complete financial application. GBC?s IT department does not need to deploy client-side (desktop) software; they rely on the power of the web browser, which is provided as a standard component of the PC?s operating system.
Together, these three innovations are fueling the rapid growth in web apps around the globe. Web browsers are predictable, PC?s provide a standard hardware environment to facilitate the software, and broadband access supports the centralization of data. It?s no surprise that today?s leading independent software vendors offer web versions of their most popular applications, or that a host of young organizations are thriving based on their ability to conduct business over the web.
But wait, it?s not that simple. Gartner predicts that by 2009, 80 percent of companies will have suffered an application security incident, and, as a result, will react by creating roles in the AD and testing organizations to ensure that security is handled at the application level. What can be done to reverse this troubling trend?
To appreciate the reason for Gartner?s prediction, one needs to understand the underlying architecture of a web app. Let?s look at GBC?s financial application as an example. Using a web browser, the end user connects to the application by entering the appropriate URL. The application runs on a computer called a web server, which is located in London on a protected network segment known as a DMZ. The DMZ was devised to ensure that, should the web server be compromised by an attacker, additional access to the corporate network would not be permitted. When a user enters their financial information into the web browser, the application running on the web server recognizes this, and then forges a connection to a database server, which is located on GBC?s trusted internal network. The database is updated, and the user continues to enter and/or view additional information. And this and other tasks are repeated regularly from all of GBC?s locations.
Now let?s break this down into the real security issues at hand. GBC recognizes that by providing access to an application from the Internet, it has potential exposure due to access by unauthorized individuals. It has placed its web server, which is the only component that can be directly accessed from the ?outside,? in a DMZ. And it has installed a web app upon the web server that can be used to display and manipulate GBC?s confidential financial data. So where?s the weak point?
It?s the web app. The web app itself, running on the web server, is authorized to access data on the database server, which is within the trusted corporate network. Therefore, any user that can successfully compromise the security of the application itself can then use the web app to suit their purpose. And because the web app appears to be operating normally, it is very difficult for GBC?s security department to identify an attack in process. If an intruder successfully compromises the web app, he can use the apps own capabilities to manipulate data within the database, and it looks like normal activity to the casual observer!
Web apps are insecure due to something we refer to as the Application Security Gap ; IT security professionals do not understand application programming, and application developers are not security experts. Therefore, most of the applications developed today are built with an emphasis on function and performance, not on security. In fact, most application developers are under the mistaken impression that security is about three well understood components; identification, authorization and encryption. What they don?t understand is that failure to properly edit input, or providing too much error information to end users, can facilitate a devastating attack.
SOX Section 404 requires sufficient internal controls and audit practices to ensure that confidential information is not compromised. So, as we web enable our information systems, how can we ensure that we are complying with the SOX requirements? First and foremost, we must be aware of the fact that the most likely type of attack to occur is one at the application level, and we should take appropriate steps to quantify our application risk today and do everything we can to minimize our exposure, now and in the future. To do so, every organization should focus their efforts in three critical areas: People, process, and technology.
People -- As noted with the Application Security Gap, most application developers do not have sufficient security awareness. Nor do other ?non-security specific? personnel in most organizations. This must change. Education programs must be put in place to increase security awareness, particularly as it applies to web apps.
Process -- Application security must be implemented seamlessly within the application development lifecycle. Organizations should develop specific security-oriented process components as software is developed and deployed. For example, Microsoft Corporation has published its Security Development Lifecycle (SDL) , which prescribes security oriented tasks that should be performed in conjunction with application software development.
Technology ? Using security aware software, such as application security scanners and source code analysis tools, organizations can greatly reduce the application security learning curve for software developers and application security auditors. By incorporating these technologies throughout the application development lifecycle, at key points such as code development, testing, and implementation, organizations can substantially reduce their risk of an application level attack.
Web app security is complex, and full implementation of a three pronged program within any large organization will take time. Where do we start? While there are many potential choices, here?s what Gartner recommends:
Web application scanning must be included as a required part of your vulnerability management program. Because new techniques for attacking Web applications will appear over time and application updates are inevitable, regular scanning will be necessary. Your organization may contain hundreds of Web applications. Start with those that are accessible externally and considered critical to the business. Finally, press internally to gain adoption of these tools by the development organization.
Application security, and particularly web app security, is an essential component of any comprehensive information security program. And a solid information security program is an absolute requirement to survive a thorough SOX audit.
Brian Cohen
President and Chief Executive Officer
SPI Dymanics
Brian Cohen is the president and chief executive officer of SPI Dynamics, the expert in Web application security testing and assessment, and has 24 years of experience in high-level and executive positions within the information technology industry.
Recognizing that the next wave of Internet security would strategically occur at the application level due to lack of security development in this critical area, Brian took on his role with SPI Dynamics in 2001 which provides an ideal venue for him to share and combine his application software and Internet security expertise. With Brian?s guidance and expert credentials, SPI Dynamics has grown to be the expert in Web application security with several hundred customers worldwide. These customers include large organizations in virtually all major categories; financial services, health care, transportation, manufacturing, distribution, retail, services, state and local government, and federal government.
The last 10 years of Brian?s career has focused exclusively on Internet security. His successful background includes key positions at Technologic, eSoft, Dun & Bradstreet Software, MSA and EDS. After 14 years of leadership positions in the application software business, Brian became a pioneer in the Internet security industry when he founded Technologic and developed the first software and hardware combination firewall appliance. As his career with Technologic progressed, Brian guided the company to produce the first all-in-one firewall, Virtual Private Networking (VPN) and Internet connectivity appliance.
Brian is a frequent speaker to C-level audiences on the importance of application security throughout the lifecycle and was recently invited to speak at the annual Microsoft Global Briefing, an internal Microsoft global marketing and sales conference, on security best practices in development. In addition, Brian was recognized as a Top 50 Entrepreneur in Atlanta by Catalyst Magazine for 2005.
|
|
|
|
|
