Putting App Security to the Test

Scanning your applications for vulnerabilities and problems beforehand is best, but not the norm yet

Not many enterprises today bother testing the security of their applications. Those that do are mostly scanning them after the fact -- when the application is operational and most vulnerable. But Gartner says that is about to change.

Most enterprises are still focusing on network security, and assume that their traditional vulnerability assessment scanning tools will take care of application security as well, according to a recent research note by Gartner. Gartner vice president Joseph Feiman, a co-author of the report, says only 10 percent of enterprises use application source code scanners today. "Instead, they rely on firewalls, IDS, and are enforcing entry into the enterprise, but that's not the solution."

Ensuring applications don't have any big, gaping holes for attackers to drive trucks through is a job many enterprises today just aren't equipped to do financially, nor expertise-wise. But Feiman says by 2009, 60 percent of enterprises will be using vulnerability detection as part of their software lifecycle processes.

And for those companies who don't have the financial or technical resources, vulnerability detection/assessment services make sense, he says.

That's just what application security service providers such as White Hat Security are banking on. Jeremiah Grossman, CTO of White Hat Security, which provides Web application security scanning services, says the future of Web application vulnerability assessment is all about scale.

With eight out of 10 Websites sporting security holes and most attacks honed in on the Web app layer, Grossman says, the potential scale of the problem is huge. "And very few organizations have the technical expertise" to address these security problems, he says.

Gartner predicts 50 percent of enterprises will use "some amount" of app security scanning services by 2010.

"The reality today is we're still stuck scanning after the fact," Feiman says. "And developers are injecting vulnerabilities at the very first moment of design. But that is changing rapidly."

And some of the tools are starting to be integrated. "Dynamic scanning vendors are now offering source-code scanning as well," he says.

Dynamic scanners are Web app vulnerability scanners, which don't have source-code access. Fortify, which sells a source-code scanner for app development, and WatchFire, which sells a so-called dynamic, quality assurance-type testing tool, are teaming up, for instance, he points out. The idea is to bring together the two ends of the software lifecycle.

Brian Cohen, CEO of SPI Dynamics, says although most enterprises today don't do pre-production scanning, they are realizing it's "the right thing to do." Cohen points to a forward-thinking large enterprise customer of SPI Dynamics that two years ago was about to deploy a "seven-figure" ERP application when a pre-production scan found serious problems in the software, and the company postponed the implementation until the software vendor resolved the problems.

"That was the exception back then, and now a majority of enterprises do some level of periodic scanning." But with regulatory and legal pressures increasing, companies with apps that house customer data or pose a financial risk are looking at pre-production testing as well, he says.

But meanwhile, the cruel hard fact is that no matter how many scanning tools a developer has, or how careful he or she is in the development cycle, there's no way to write bug-free code. "I don't believe it's possible. It's against human nature," Feiman says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading