Database security vendor Application Security Inc. has entered a two-year partnership with Visa International to ensure that the worlds largest credit card issuer is on the cutting edge of protecting its databases, the two firms announced this week.
The partnership is geared to providing Visa, which is by far the worlds largest credit card brand, protection for customers personal information and the credit card numbers of the 1.3 billion cards the company now has in circulation.
Application Securitys flagship product is AppDetective, a network-based vulnerability assessment scanner for databases. It also sells AppRadar, a real-time database intrusion detection and auditing tool, and DbEncrypt, a tool for column-level encryption of production databases.
According to Ted Julian, vice president of marketing for the New York security tools firm, the timing is ripe, as online retailers head into a season of what is expected to be the biggest volume of sales ever. “One thing that goes along with [e-retail during the holiday season] are security concerns and people concerned with buying things online,” he said. “In that context, Visa has an important opinion or role to play. They have a unique perspective on the holiday season and on protecting customer information.”
Indeed, according to a recent report from Forrester Research Inc., online holiday sales will hit $13.2 billion this year—a 20 percent increase over last year.
Unfortunately, the flip side of the rising use of credit cards online is the spiraling incidence of thieves snatching credit card numbers, Social Security numbers and other personal data. This was dramatically demonstrated on Friday, when a Newark, N.J., federal grand jury indicted 19 people in the United States and abroad who were connected to a Web site that investigators said was one of the largest centers for online trafficking in stolen identity information and credit cards.
According to Gartner Inc., some 75 percent of cyber attacks are now occurring at the application level—as opposed to the perimeter—where firewalls reside. That means that databases are now a primary target. “At the end of the day, all the transactions, all the credit card numbers, sit in the database,” Julian said.
Cyber criminals have shifted their attention to the application level because they target the weakest link, according to Sarah Perry, senior vice president in charge of strategic ventures with Visa, in San Francisco. As enterprises have focused on securing the perimeter, the next weakest link in the chain has become the database.
“As solutions evolve, the perimeter is protected, and … it becomes more difficult to crack that,” she said. “What has been largely unprotected, or ineffectively protected, is the area that becomes the next most vulnerable area, which is that which resides within the company, and the data sitting within the databases.”
According to Noel Yuhanna, a Forrester Research analyst, data theft is running rampant not only in production databases, but also within data transfers, on data stored in databases, as well as on data stored in tape and backups. Most enterprises still neglect to focus on database security, Yuhanna said, but at least that trend is slowly starting to turn around—as evidenced in part by the Visa-AppSec partnership.
“I think it will be helpful for Visa, especially when they deal with such sensitive data, [and] especially given the fact that there are a lot of intrusions and hacks going on, and they will only increase. Unless customers and vendors secure the data, it will be an open situation,” Yuhanna said.
Anthony Passaniti, head of the security office for Swiss Re, North, South and Latin America, in Armonk, N.Y., has been spreading deployment of AppSec tools throughout the global reinsurance firm for about a year and a half. The difference in database security before and after the deployment of the tools boils down to consistency in the way developers behave in taking applications from development to testing, he said, since AppSec tools check for security at every step of the way.
“We dont have to spend so much time testing and certifying an application before it goes into production,” he said. “Its secured as its being built. You just give it a once-over. In development, and in testing, we use the tools. At the end, we give it one more quick check, and if everything looks good, we give it the stamp of approval and put it into use—as opposed to finishing coding, scanning it, stopping the process” and going back to fix insecure coding, he said. “If its at the end, it may take twice as long to try to fix it as if you build controls in.”
The use of AppSec tools should make it easier for member banks and merchants to comply with a number of security requirements in Visas CISP (Cardholder Information Security Program). For example, those requirements stipulate that member banks and retailers keep security patches up to date; protect stored data by, for example, encrypting passwords; avoid the use of vendor-supplied default passwords and settings; assign unique IDs to people with computer access; track access to data by unique ID; and regularly test security systems and processes. AppSec tools include checks and procedures for handling all such issues.
Visa loves it all, Perry said. “The vulnerability assessment tool is tremendously valuable, to find out whats happening inside our databases,” she said. “And their intrusion detection—after all, regulations require that companies do the most they can to ensure any type of malicious activity is being addressed with the latest technology available. And we really like the column-level encryption tool, which allows much more flexibility in securing data within a database while still allowing access to data when needed.”
But its too early to say whether Visa intends to require members to use the technology, she said. At this point, the two companies will work together to collaborate and co-develop solutions in order to get them into the hands of Visas member companies.
As part of the partnership, Visa has acquired a minority equity investment in AppSec.