What to Look For

By Paul F. Roberts  |  Posted 2006-02-05 Print this article Print

Before Jumping Into On-demand"> That said, the meteoric rise of companies such as Salesforce.com has created a rush to get into the on-demand business, and that could lead to shoddy deployments, Topolovac said.

"Youve got companies taking a client/server tool, putting it behind a firewall and running it on a hosting providers network and saying its on demand," Topolovac said.

Enterprises looking at on-demand offerings should look for software that was built from the ground up for on-demand deployment, he said.

Companies also need to be mindful of a vendors internal security policies, experts say. If the service provider doesnt have an explicit security policy already in place, chances are security wasnt much of a consideration when the application was built.

"The vendors need upfront security policies. Software as a service needs to protect data right at the front, but thats a little utopian," said Rick Welch, vice president of the developer division at RSA Security, in Bedford, Mass. "You cant always do it. Maybe you encrypt the most sensitive data in the database, then encrypt all of it in mass storage. The point is, the vendors have to homogenize that. Its hard to do it uniquely [for each customer]. Without security policies, its hard to get consensus on what needs to be encrypted."

Lagging Defenses

Welch said that the various data breaches that made headlines last year had the unintended effect of raising enterprises awareness level about the need to protect their data, and not just their networks. Because many companies now have partners, customers and others coming in and out of their networks on a regular basis, network security simply is not going to be sufficient to prevent the loss of sensitive data, especially when IT departments dont have complete control of the applications.

In fact, traditional network protections such as IDS (intrusion detection system) and firewalls may not be a very effective solution for a new generation of threats that target Web-based applications, experts say.

For Mike Howard, the senior security program manager at Microsoft, SQL injection attacks are the bogeymen that keep him up at night. In SQL injection attacks, dynamically generated strings in Web applications are manipulated by attackers to send malicious SQL commands to the back-end database.

"Were seeing more SQL injection attacks, and its very worrying. You can have a firewall in place, and people can still do whatever they want," Howard said in Redmond, Wash.

Technologies such as JavaScript, XML and AJAX (Asynchronous JavaScript and XML) have also introduced new avenues for attack and exploitation, said Caleb Sima, co-founder and chief technology officer at SPI Dynamics, in Atlanta.

In January, Forum Systems, of Sandy, Utah, warned customers that AJAX-enabled applications were transforming Web browsers into Web services portals, exposing users to potentially corrupted data that can cause the browser to crash, slow servers or cause widespread disruptions by consuming network bandwidth.

Click here to read more about the warning from Forum Systems. An XSS (cross-site scripting) worm that downed popular social networking site MySpace.com in October could be a harbinger of things to come as companies move to Web-based services, Sima said.

The worm was written by a MySpace user named "Samy" and used a combination of JavaScript and AJAX code and took advantage of lax Web-browser security to silently inject a small piece of malicious code into the MySpace profiles of those users who viewed a page set up by the attacker. The code added Samy to the victims lists of friends and also spread to their MySpace profiles. Within 24 hours, the XSS worm had netted Samy over a million new "friends" and prompted MySpace.com to shut down the service to remove the infection.

In a world in which Web-based services such as Salesforce.com are used to connect critical applications across company lines, a hack in one part of the Web services chain could quickly spread, MySpace-like, and affect other organizations in the chain, Sima said.

"Companies have to ask: If my partner goes down or gets hacked, how will that appear on my site?" said Sima.

Development Worries

Security experts agree that lax development practices are responsible for many of the vulnerabilities in software today and that the move to deploy applications on the Internet—especially those that were originally written to run on individual PCs—may be outpacing education on the security risks that go along with that move.

"The age of Internet software is here. The vendors need to get over it and design it all [to be used] that way," said Gary McGraw, CTO of Cigital, in Dulles, Va., and a well-known expert on writing secure software. "Everybody should be writing code as if its going to be exposed on the Internet. Developers have to understand that.

Next page: Locking down Windows Live.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel