Security Experts:

When Network Security Is Not Enough

I assume there are a few technology arenas more confusing that security (though, probably not many). Even when I have lunch with my small business counterparts and we talk security, I find a lot of misconceptions about what web security is all about.

Most people will focus on perimeter security and think that they have it all covered. Many people view the hardware side of their data center as being where security needs to happen. Mention a firewall and people nod their heads and say they have it covered (some even mention that they also have a fingerprint scanner guarding the server room). In IT terms, this is network security; it keeps the bad guys out the server room (literally and figuratively). Unfortunately, network security is never enough.

When Network Security Isn't EnoughNetwork Security: Shielding What’s Most Important to You from Harm

My stretch analogy for today is raising kids. When my kids were growing up we (protective parents, one from New Jersey no less) shielded them from harm at best we could – seat belts, car seats, hold my hand crossing the street, lock the doors at night, stranger danger and more. In the case of this analogy, these protective parenting actions are like perimeter security for your business – tangible things that can be wrapped around your kids to keep them safe from obvious harm.

Though we take these measures to protect our children, there are still other outside dangers that they can be subjected to – including what they hear and see on TV, who they talk to in Internet chat rooms and who they call on the phone. These are the things that kids have to grow up with, but we, as their parents, have little or no control about what’s happening at the other end of these communication channels. TV ads are a lot more ‘adult’ than I remember, chat rooms seem to be the hunting ground for the misguided and I’m pretty sure cell phone are mentioned in the Bible as being the devil’s playground.

Web Applications: The Necessity of Opening Yourself Up to Potential Threats

Just as we cannot control what is on television, who is in Internet chat rooms or who is on the other end of the phone, we cannot control the browsers that are interacting with your web applications. We have no idea what the individual sitting at a browser far away is doing. He might be ordering one of our new lines of dog coats or he might be trying out a SQL Injection attack through our customer login page.

You might be asking yourself: Why do we do it? Why do we expose our children and IT systems to things we cannot control?

The answer is necessity. We allow our children to be exposed to the outside world, and the threats that come with it, so they can learn and grow (and so that we can get a fifteen-minute break while they watch TV). Our web applications, by necessity, expose our internal IT system through data connections (Ports 80 and 443) that must be left open in order to conduct business (and make money). In other words, a certain level of risk is required, but one does need to be careful.

The Difference Between Network Security and Web Application Security

If you own a business and do anything over the Internet you should be asking yourself which aspects of web security you have covered. The physical side of web security (i.e., firewalls, locks, anti-virus), while not necessarily easy, is well understood; it’s basically an infrastructure configuration where yours could be very similar to the business’ down the street.

Your web applications (your websites) are another story. The total unpredictably of the outside component (your clients and anyone else who brings up your website on their browser) and the fact that you cannot just let the good guys in while keeping the bad guys out, means you need to build your web application such that it supports your business as well as wards off the attacks from malicious hackers.

This is not so easy. For example, the ordering fields on your product page may be a necessity but, unless you’ve written your web application correctly, those very same fields are prime SQL Injection opportunities for hackers to wander your internal databases.

Like snowflakes, no two websites are the same and they do change over time (I know, websites don’t melt). There is no obvious web application security equivalent of a ‘firewall-locks on the doors’ solution; a custom-built website presents hundreds, if not thousands of attack surfaces, each of which needs considered during its development.

Keeping Your Baby Safe

Buckling your kids in is fairly simple – seat belts are pretty universal no matter the kid or that car. It’s the same with network security. On the other hand, giving kids freedom while still protecting them from the many threats that we cannot control, is something that must be addressed on a case-by-case basis. Just like every kid shouldn’t be allowed in an Internet chat room, not every web application needs the same security measures. Make sure you are taking the appropriate steps to protect your ‘baby.’

view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.