Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
JAVA
.NET
EMBEDDED SYSTEMS
ROBOTICS
MECHANICAL
MATLAB etc
For further details contact us:
enquiry@ingenioustech.in
044-42046028 or 8428302179.
Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)
http://www.ingenioustech.in/
2. Smart It
are readily available; rather, it’s the believe that the risk associated Understand the
product of the management mind- with compromise will be mini- Application Layer
set. Even managers with websites mal. Unfortunately, they can’t see The first step in reversing the
that are considered to be at greater that they’ve failed to imagine the trend of compromised websites is
risk of attack—such as financial, full extent of potential problems. to understand why controls that
government, and e-commerce sites— Consequently, they’re reluctant operate below the application layer
simply aren’t putting enough con- to invest in measures beyond can’t protect the application.
trols into their design, develop- scanning, which provides only The OSI layers operate inde-
ment, and operational processes to minimal vulnerability detection. pendently, so if an attacker exploits
avoid serious security incidents that Regardless of the decision mak- a weakness in software running
originate at the application layer. ers’ beliefs or level of awareness, at layer 7, controls intended to
the organizations they represent secure the system’s lower layers
Uninformed Risk Analysis clearly have a responsibility for the won’t prevent the attack. Thus, a
Resistance to proactively imple- information systems under their packet-filtering firewall at layer 3
menting application-layer security control. This idea is paramount in won’t prevent an attack targeting
often stems from the perceived compliance legislation such as the a publicly available Web applica-
expense of the process and the Sarbanes-Oxley Act of 2002 (www. tion, nor will a vulnerability scan-
idea that many decision makers soxlaw.com), the Health Insurance ner configured to find weaknesses
view risk as a natural part of doing Portability and Accountability at lower layers effectively identify
business. The traditional choices Act (www.hhs.gov/ocr/privacy), and problems at higher layers.
are to avoid, reduce, transfer, or the Federal Information Security
accept the identified risk. Management Act of 2002 (http:// Become Proactive
But if risk identification is un- csrc.nist.gov/groups/SMA/fisma). The second step is to become pro-
reliable, then the decision mak- More generally, it falls within the active instead of reactive, which
ers aren’t sufficiently informed to IT community’s expected norms means performing a vulnerability
make such choices. For example, of behavior, which apply to every assessment at the application layer
one highly significant cost that organization—whatever the na- to identify problems.
tends to be overlooked is the ture of its Web applications or un- The recommended approach is
potential reputation loss from a derlying business. to bring in a neutral third party
security incident. The details of how to address specifically trained in securing
Another commonly unfore- application risk will ultimately de- Web applications. However, even a
seen factor is that the victims of pend on the organization’s busi- simple assessment or an automated
an attack can extend well beyond ness requirements and the amount scan against a reliable checklist of
the organizational boundary. For of risk it’s comfortable with. How- the most common vulnerabilities
example, attackers can steal cus- ever, any website could be vulner- is better than nothing. This will
tomer data and use it for fraudu- able to attack. An organization help identify problem areas so
lent purposes (as in identity theft). shouldn’t assume that its website staff can describe each problem’s
In other scenarios, they can sub- is exempt because it doesn’t pro- potential impact and recommend
vert the application to carry out cess financial transactions or store a mitigation strategy.
phishing or other attacks on un- personally identifiable informa- Realistic expectations are also
related third parties (as in mal- tion. Attackers have countless rea- important. At most, an assessment
ware distribution). Informed risk sons for compromising an asset. can provide insights into the prob-
analysis therefore must involve a They might use the asset as a foot lem areas and the effort required to
mechanism not only to detect vul- in the door for a deeper attack or address them; nothing will com-
nerabilities but also to accurately simply as a mechanism for distrib- pletely attack-proof a site. However,
determine who or what the actual uting malware. a policy for periodically assessing
targets of attacks might be and to an application’s security can find
more accurately forecast potential Reversing the Trend and remove vulnerabilities before
losses if such attacks occur. At the heart of ineffective Web- they become security incidents.
This short-sightedness is rooted application security is a funda-
in a larger problem that some have mental misunderstanding of avail- Use the Standards
called a failure of imagination. able controls and which layers of The third step is to implement
Managers accept their incomplete the Open Systems Interconnection readily available standards, guide-
security assessment because they (OSI) protocol stack they protect. lines, and best practices. With the
8 IT Pro July/August 2010
3. amount of guidance available security assessments, if imple- as early as possible. Security ex-
in standards documents, organi- mented properly, the control can perts should participate directly
zations have little excuse not to improve the application’s overall throughout—from the drawing
conduct at least a cursory check security posture. We advise bolt- board through production.
for application vulnerabilities. ing additional layers of security
W
Several software vendors sell onto an application that incorpo- eb-application devel-
automated application-layer vul- rated security from the very first opment is a complex
nerability scanners (for a list of blueprints. The trick is to put the area with many simul-
vulnerabilities, see the Open Web correct control in place in the right taneous activities, each of which
Application Security Project’s Top way. Security vendors often inflate presents an opportunity to intro-
Ten Issue List at www.owasp.org/ their products’ abilities, making it duce exploitable vulnerabilities.
index.php/Category:OWASP_Top_ easy for managers to underestimate The de facto security measure is to
Ten_Project). the full cost of the control once it’s focus on nearly everything but the
Managers are naturally attracted in place. For example, many man- application itself. Here’s a sobering
to such solutions because automa- agers underestimate the staff hours thought for all managers respon-
tion is a straightforward and easily associated with running the tools, sible for Web applications: With-
understood concept. Automated reviewing the results, and taking out proactive consideration for
tools can be an integral part of appropriate actions. the application’s security, attackers
an overall security-assessment can bypass nearly all lower-layer
process, but they can’t replace Designing In security controls simply by using
the experience of a trained eye; The design-in approach aims to the application in a way its devel-
an expert can assess and qualify identify potential problem areas opers didn’t envision. The result is
risks that tools can’t. Managers as early as possible—when they’re often the total compromise of the
tempted to adopt a scanner-only far less expensive to fix—and then information system’s confidential-
approach should think again— assist in designing them out rather ity, integrity, or availability.
security is a process, not a product. than trying to patch them later. Organizations must ensure the
In this more proactive ap- security of their Web applications,
Implementation Choices proach, a security expert joins the not only to protect their invest-
Organizations have two choic- project team at the start and ac- ment and reputation but also to
es when implementing Web- tively participates during all proj- remain accountable to the ap-
application security: bolt security ect life-cycle stages. Early on, the plications’ users. By not address-
onto a completed application or expert critiques the design. Then, ing vulnerabilities proactively and
design it in from the beginning. toward the middle of the project, early on, organizations can leave
the expert might perform code re- themselves open to devastating
Bolting On views. Finally, toward the project’s consequences. And with guidance
Any security mechanism added end, he or she might help the team and expertise readily available,
to a completed Web application prepare for certification activities. such a gamble would seem to be a
is a compensating control. Other risk not worth taking.
than simple neglect, there could Cost Trade-offs
be other reasons why bolting on Fundamentally, security is a busi- John R. Maguire is a manager at Nob-
security is an organization’s only ness decision. Fixing security lis and a credentialed Computer Infor-
choice. For example, if an organi- vulnerabilities costs money—how mation System Security Professional. He
zation purchases a closed-source much generally depends on when received a BS in decision sciences and
commercial-off-the-shelf product the issues are identified. management information systems from
whose company subsequently On the surface, incorporating George Mason University. Contact him
folds, then it might have no other security from the beginning ap- at john.maguire@noblis.org.
way to mitigate a new-found vul- pears to be the more expensive
nerability in the product. In this option, but in practice it often H. Gilbert Miller is a member of IT
case, the organization could bolt ends up being less costly. For most Professional’s advisory board and cor-
on an intrusion-prevention sys- organizations engaged in Web- porate vice president and chief technol-
tem to inspect packets at the application development, the ideal ogy officer at Noblis. He received a PhD
application layer. approach is to introduce security in engineering and public policy from
Although no such measure can as a separate and distinct project Carnegie Mellon University. Contact him
replace proactive and periodic role and assign team members at hgmiller@noblis.org.
computer.org/ITPro 9