Application Vulnerabilities and Data Privacy

Jack Danahy
February 18, 2008 | COMMENTS

The convergence of regulatory compliance, high profile data breaches, and the increased sophistication of cyber-attackers has transformed data security from an interesting IT sideline to a bottom-line, corner-office priority.

Compliance and data security are now essential preventative measures for every organization. Companies looking to protect themselves from the negative consequences of a highly publicized data breach are using a combination of strategic actions, processes, and enabling technologies, to achieve protection of critical data.

Prior to the creation of the Payment Card Industry Data Security Standard (PCI DSS), there was no mandate for credit card companies, retail outlets, and government agencies to protect credit card numbers. While it was reasonable to expect these organizations to take protective steps, organizations have not taken adequate steps to protect critical data. With the advent of PCI DSS, there is now an independent standard that mandates how organizations address data privacy and security. This mandate is forcing organizations to take the initial steps necessary in assuring protection of critical data.

The PCI DSS requires all organizations globally, that store, process or transmit credit card information to demonstrate compliance. While compliance audits often leave details up to interpretation, PCI offers details around industry-leading requirements for application security best practices in protecting the privacy and security of customer data. If a company handles stores or processes credit card numbers, security measures must be in place. While still a work in progress, PCI is on the right track as many states are considering passing data protection legislation modeled after the standard.

Discover, Prioritize, and Secure

Compliance audits typically test if the intrusion detection system (IDS), intrusion prevention system (IPS), or firewall applications are properly working. These network-centric controls do not necessarily speak to the security of the data. A more informative and instructive evaluation should include security analysts, developers, and executives, working together to understand and enumerate these issues. The investigation must also look beyond the pipes that connect the application, but actually within the applications themselves.

Buried within millions of lines of code that can comprise an organization's backbone, undiscovered vulnerabilities lurk and continually pose a threat. According to NIST (National Institute of Standards and Technology), greater than 93 percent of reported vulnerabilities are software vulnerabilities that can expose organizations to risk of attack. Most organizations lack the resources necessary to proactively locate and remediate these threats. Organizations need a way to analyze the software itself, allowing security risk managers and auditors to identify those threats so they can be isolated or eliminated.

While examining source code can be difficult, the good news is that today's software analysis tools make the process easier than one may imagine . By shortening the time required to locate software vulnerabilities, identification and verification can be manageable. By creating a system where organizations can get actionable results in hours, not days, security analysts can gain valuable insight into the location of software vulnerabilities. They can then ascertain the nature of the vulnerabilities, the risks and impacts if those vulnerabilities were exploited, and ultimately, offer remediation advice to the developer.

Thanks to compliance regulations such as the PCI DSS, which mandate application vulnerability scanning, often-ignored software vulnerabilities are finally becoming an area of focused attention. By identifying and managing these risks, while meeting or exceeding compliance, customer data and corporate reputations can be protected and organizations can avoid destruction from a perfect storm.

Jack Danahy, founder and chief technology officer of Ounce Labs, is one of the industry's most prominent advocates for software security assurance. Contact Jack at 781-290-5333 or visit www.ouncelabs.com.