- What does Cisco have against Quebec?
- Attrition.org nails another nitwit
- Diary of a deliberately spammed housewife
- Seven cloud-computing security risks
- 20 great Windows open source projects
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Application security is getting a new push as rules governing the payment-card industry mandate many businesses undergo a software code review or make use of a Web application firewall starting later this summer.
“Application security is high on everybody’s radar,” says Brad Friedman, CIO at Burlington Coat Factory, which like other businesses that handle customer payment cards is obligated to comply with Payment Card Industry (PCI) security guidelines. For Friedman, who says his company has already locked down PCs and point-of-sale devices in its 400 stores, the concern remains for companies how to avoid the kind of credit-card data-breach fiasco that TJX had last year.
But the question is: Which of these soon-to-be PCI-required approaches to take? And even if you’re not required to go with one of these approaches, does either of them really do the trick?
There’s a wide range of tools and services that help automate code analysis for purposes of finding security flaws in applications, including those from Fortify Software, Klocwork, Ounce Labs and Veracode. And there are application-penetration testing tools such as the Core Security Technologies' software Core Impact, which uses an agent-based approach.
However, many security experts point out that automated code analysis has its limits, especially when it concerns finding flaws in the underlying business logic of an application.
“Source-code analysis won’t find all security vulnerabilities,” acknowledges Brian Chess, chief scientist at Fortify, which makes tools for static-code analysis and real-time analysis of applications. “It will find a lot of vulnerabilities that can be exploited through buffer overflows, cross-site scripting and SQL injection. But source-code analysis can’t tell you about business logic flaws. It can’t find design flaws.”
Others agree.
“Closed source or open source, it comes down to the programmer and their psychology,” says Joe Stewart, senior security researcher at Atlanta-based SecureWorks. “Code inspection will find common mistakes, such as buffer overflows. But finding errors in logic is much harder.”
Business logic flaws often are made in the design of an application’s authentication process, Stewart notes. “Suppose it checks one letter at a time — it gives attackers a clue. Or a logic bug may involve giving people access to something they shouldn’t have. Programmers may skip over the critical checks so they can do it faster.”
Rss FeedRss Feed
IBM spent all that money on a mass rollout of PGP Whole Disk Encryption, just when its discovered that...- Anonymous
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Comment