Safe Data: At What Price?

To offset the high cost of safekeeping apps while ensuring quality during development, technologies are getting revamped for new use.

As they look to shore up the security of networks, many enterprise CIOs and security specialists are coming to the same inevitable conclusion: Security is expensive.

Firewalls, intrusion detection systems, anti-virus scanners and content filtering long ago ceased being optional equipment and moved onto the must-have list. And there are new technologies such as intrusion prevention systems and biometrics coming online seemingly every week, not to mention expensive vulnerability assessments, penetration tests and integration work. Add it up, and theres little doubt that the cost of keeping applications and data secure isnt likely to stabilize soon.

To help alleviate part of that burden, some IT organizations and security vendors are getting creative in their use of existing technologies.

Application security specialist Sanctum Inc., for example, recently released Version 3.5 of its AppScan product, which now includes extensive capabilities for application testing. Previously, AppScan had been used mainly as a tool for testing the security of Web applications. But the new functionality enables customers to run the software against applications during the quality assurance phase of development to seek vulnerabilities before the application is released.

Traditionally, developers have left the task of testing the security of their applications to customers. Once a vulnerability is identified, it is documented and fixed in a future release. But the explosion of malicious hacker activity in recent years, coupled with the large number of applications that are now exposed to the Internet, has led to a greater focus on writing secure code.

And that means much of the QA burden is being returned to its rightful owners: developers and testers.

"Part of that testing process has been pushed back into the QA process," said Ben Straley, product marketing manager at Sanctum, based in Santa Clara, Calif. "Security problems are now being treated as product defects, just like anything else."

And with good reason. The cost of fixing software vulnerabilities after deployment is nearly seven times that of addressing them before release, according to a study conducted by IBMs System Sciences Institute.

The trend toward making security code reviews part of the QA process is also taking hold at major software companies, most notably Microsoft Corp., in Redmond, Wash.

As part of its much-publicized Trustworthy Computing initiative, the company now does a complete review of every applications code before the software is released to the public, with trained testers looking for anything that could result in a potential security vulnerability.

Officials at database maker Oracle Corp., in Redwood Shores, Calif., also have said they are placing increased emphasis on finding potential security vulnerabilities before new applications hit store shelves.

Vulnerabilities in Web applications can be especially costly in that they can give attackers a direct route into the rest of the network.

Included in AppScan 3.5 are several new features designed to address this issue.

The software can learn an applications structure and business logic, which it then uses for future tests. There is also a new record/playback feature that can record a business process for regression testing, allowing testers to go through the process one step at a time. The process can be saved in XML.

The system can also call and test JavaScript and includes an exposed proxy that enables users to run tests without a Web browser by running the application through AppScan.

That kind of functionality is proving attractive to security specialists looking for a way to plug potential holes in their in-house applications before the applications are released to users.

"Its a big plus when youre sitting with a developer and you can pull up the description of the problem and the solution so that they understand exactly what to put in the code to make it more secure," said Lance Wolrab, network security engineer at Deltanet Inc., a health care industry solutions provider based in Rancho Cordova, Calif., and an AppScan customer.

Wolrab said that before security reviews of applications were instituted, he essentially had to trust the developers to get it right. And given the number of new software vulnerabilities discovered each week, many developers are falling short of that standard.

"Its caused a lot of political storms," Wolrab said. "No one likes to be criticized. Before, you were more or less taking it on faith that the developers were turning in good work. Now, I can take the exact exploit and run it against their application and show them where the problem is."

Wolrab added that using AppScan during the QA process has eliminated the need for expensive penetration tests of new applications, which, he said, routinely ran $25,000 and could take up to two weeks. And even then, he said, he couldnt always count on finding exactly where the problems were.

"Some of those guys, as good as they are, have no people skills and cant communicate where the problem is," Wolrab said of some of the penetration testers hes worked with. "After all of that time, Id like to know what they found."