Getting to secure by design: Why web security needs its own considerations

The recent attacks on companies like TalkTalk raise the awareness of how much companies depend on their IT in order to function, and how brittle typical IT infrastructures are.

These problems should help us all realise that IT security is not as simple as throwing ever more and newer security solutions and technologies at the problem. IT security needs a fundamental overhaul starting with the underlying components, their individual configurations and how to date these pieces are.

It is true that “one size fits all” models are often too simplified and each organisation has to understand how its business breaks down into specific components, and where their security practices fit against those business requirements. However, good basic security should be part of any business.

What should we do now?

The biggest short-term challenge is to understand how your IT security and online business models match up against each other. For corporate IT security teams, internal IT and data requirements are easier to understand and lock down – after all data remains in one place for production use which limits the attack surface.

However, when we connect out existing IT infrastructures to the Internet we connect to an essentially hostile network introducing other moving parts that might also be involved in getting that data into the production systems. For example, in previous attacks on the likes of TalkTalk, customer data was gathered from web servers that were under the jurisdiction of external suppliers and other parts of the corporate group.

These servers held data that was essential to the business, yet the corporate security plan did not seem to include these outposts of data. This is a good example of where different teams within IT are responsible for specific areas of technology, which can lead to security gaps and isolation of data. A company’s web infrastructure is a perfect model for this effect: web servers are under control of the infrastructure team, while the applications and data are controlled by development but should be included in the security model too.

To make this easier, the security team should have a complete view of all IT assets and infrastructure that exists, plus the applications that are hosted on these systems. This asset list can provide an overview of all the software, operating systems and hardware that is implemented and used, as well as keeping track of how up to date those assets are. This might seem like an obvious point for companies that have been brought up on ITIL and Configuration Management Databases; however, not every company has implemented some of the best practices involved here. More importantly, this often gets left to the IT service management team rather than being something that the whole IT organisation makes use of.

For companies that don’t have this list in place, implementing a system to collect data from all servers, endpoints and web applications is essential. This should cover the whole business including any web infrastructure that might normally be the purview of the marketing or web teams rather than IT. Getting this asset list in place and continuously updating it to look for vulnerabilities or necessary patches can help the IT security team keep ahead of problems.

What should we do for the future?

Web application security requires a different skillset compared to the traditional infrastructure security approach. Currently, a great deal of expertise is required to control security policies around web applications, while organisations deploying tools like web application firewalls don’t want to accept approaches that are iterative or cause production outages and delays.

At the same time, the idea that the application development teams responsible for putting together these applications are considering security at the start is not as accurate as we all would like. The emphasis is on working code and speed of delivery, rather than security. The agile mindset at the heart of most web development today emphasises faster implementation and continuous change. While these areas are at the heart of meeting business needs today, they don’t take security into account.

In order to fix this, it is important that security thinking is embedded back into application development approaches. This “secure by design” approach can live alongside the faster development and implementation cycles that the business demands. By getting developers to consider security at the start of their work rather than at the end, this approach can actually help to cut the number of potential revisions that are required, either brought up by Quality Assurance or by penetration testing phases.

This harks back to the old saying of ‘measure twice, cut once’. However, it does not mean turning back to the slower approach of waterfall development – indeed, turning the clock back to previous development management styles will not automatically inject more secure code into web development. Instead, it is important to build more understanding of security and potential attacks into development from the start.

Alongside this, it is also important to provide development teams with insight into how their web applications are performing from a security perspective as well as a customer experience standpoint. While many web teams will be able to provide chapter and verse information around page response, application performance and the impact of slow loading times on revenue, they may lack insight into how secure those applications are in performance. By pulling together information from across the application, developers should be able to see potential problems developing or where attacks might be aimed.

In response to this, it’s possible to create virtual patches that can work around a particular area where there might be a vulnerability. By working around the potentially vulnerable element of the web application, the web app itself can carry on functioning and serving customer requests. In the meantime, the web app team can apply necessary updates or fix the problem that exists. For traditional infrastructure IT, this approach of fixing the engine while in flight is not possible; however, for web applications, it is often necessary.

For companies of all sizes, web applications play an essential role in their internal and external services for customers. However, this role within business operations has to be recognised and infrastructure has to be kept secure. By planning for web security as part of an integrated approach to IT, companies can ensure that all their operations remain secure.

Wolfgang Kandek, CTO at Qualys

Image credit: Shutterstock/Tashatuvango