Locking down apps

Your organization understands security. It follows best practices, has the requisite firewalls, anti-virus and intrusion-detection systems in place along the perimeter, and only communicates with mobile users or business partners via secure VPNs.

And when end users enter the network via the VPN they are vetted by a separate security server to ensure their machines are properly configured with the appropriate firewall and anti-virus tools before they're granted access to core applications.

The company even goes as far as deploying application-specific firewalls and intrusion-prevention systems (IPS) around the most critical application servers, watching for and blocking non-appropriate application calls and traffic. It's what the pundits call "defense in depth," and you've got it in spades.

But even though the company has probably spent thousands, maybe millions, of dollars on security infrastructure, chances are it will still get hit by the latest virus or worm.

"What's wrong with this picture?" asks Paul Simmonds, director of global information security at London chemical conglomerate ICI and a co-founder of the Jericho Forum. "What we have is back to front, at the moment. We're saying that since we can't secure our applications, we need to put in firewalls and kludges all over the place to make what we have at least semi-secure, and even that's not working. But why not just go back to first principles and get this secure from the outset, at the application level?"

An applications deployment nightmare

Experts agree that the security focus needs to shift. "For anybody who's thinking about new hacking techniques, the soft target now isn't the network or the operating system. It's the applications," says Thomas Longstaff, deputy director for technology at security organization CERT . Because no matter how much technology you put in place around applications, in order to use them, you have to open them to end users and other processes.

"It doesn't make any sense to protect all this information if you can't get to it," Longstaff says. "You have to provide access to wherever the clients happen to be. And that means that you're really relying on the proper configuration and security of not only every application server but also every end user that's going to use the application."

Complicating matters is that application vendors implement security measures differently such as authentication and authorization, encryption and so on.

"We're still pretty much in the Wild West phase of applications security, where everybody who has a good idea goes off and does it their own way," Longstaff says. "Very few vendors are trying to bring their applications together under a single framework for security."

That makes it hard for end users to securely deploy and configure their business-critical applications. "When deploying new applications, users are faced with a long list of security check boxes," Longstaff says. "And the onus is on them to figure out each application's inherent security problems, how best to shore them up, and then how to make sure the best security configurations for one application don't interfere or override the security configurations for another."