Welcome to SoftRoots Skip directly to: Search Box | Section Navigation | Content
Skip Navigation       Sitemap
Website Sitemap

Protecting Your Data in Today's World

Part 3 - Application Data and its Value
Secure Systems and their Architecture

Imagine the scenario where you're responsible for security on a corporate LAN, which is only connected to the Internet through several layers of hardware (routers, firewalls, and switches) all installed and configured correctly within a demilitarized zone (DMZ), which is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. The DMZ supports NAT (Network Address Translation), and a Web server which is allowed to make a connection to a database server on a secure LAN that is protected by another firewall. Most network administrators might consider this to be a fairly secure environment, and one that certainly shouldn't present any major security risks from Internet hackers. But is this the case?

Not necessarily! It may be that as a result of poor coding practices in a custom application running on the Web server, an intruder has been able to gain access to, and retrieve entire tables of sensitive business data. Why didn't the complex secure network infrastructure stop this? Simple: The attack happened on an application level, and not at the network level.

This is Part 3 of the series Protecting Your Data in Today's World. The following articles discuss related topics on how to protect your data in today's world:

The value of application data can be of significant interest to others, enough to steal for! Businesses also recognize it as one of the key factors for success in today's competitive e-business world. It's not enough for a company to just collect information. The capability to effectively access it and understand it can drive the business decision process. Externally, customer relations can be impacted by how effective the business is in serving the needs of its' customers, managing employees, projecting sales, controlling inventory, billing, and reporting.

Security in applications, whether they be Web-based or not, isn't hard to implement, but security needs to be considered as part of the overall and ongoing design, and not merely an afterthought for it to work right. Security should provide the base and direction of an application, especially a Web application; rather than be added after the development is completed.

Designers and developers of Web applications have to be careful what kind of functionality is provided to the end-user, and also the passing of user data on the command line for calls to other programs. If there are methods that can be invoked in ways not intended by the developer, a hacker will find them. A hacker will attempt to trick your application into executing commands or modifying run-time parameters by submitting data that will be interpreted as command-line switches or options in the application. By taking precautions, and with proper data validation, a Web developer can ensure that a Web application will not open the door to other network resources.

Of course, you should also avoid incorporating user data in system-related functions. Consider the situation where a Web application asks the end-user which database he or she wants to access, and what specific data to search for. A hacker would no doubt attempt to access other databases that may not be supported by the application but are supported by the Web server's connection. A hacker may also attempt to search for criteria that may of never been intended by the developer to be seen, and could possibly retrieve results such as; account names and passwords, etc. that could compromise the system as a whole. Application data can be, and usually is, sensitive information that can be exploited when in the wrong hands.

Many developers don't realize they play a vital a role in an organization's infrastructure as a critical part of the system's firewall strategy. Often, when an attack is analyzed, it is realized that the receiving application allowed the attacker to breach security; the hardware firewall merely limits an outsider's access to that application. This shows how critical it is for application security testing to be part of the overall Test Plan for any system. The integration of the application interfaces must be clean and seamless. The application interfaces are generally prone to error when tested in a thorough manner. To ensure application security and stability, it is critical that the interfaces be tested to function correctly.

Protection of application data can also be ensured by employing the digital signature technology. Database driven applications require a certain amount of application integration. It is this integration step that has been the primary technical stumbling block to the widespread use of digital signatures. PKI integration projects have proven too costly and too risky for many application owners. As a result, organizations seem to be focusing on ways to add security to applications without performing complex integrations. When we talk about protecting application data, there is a growing number of data security products that are making it easier to integrate security features such as digital signature into the applications themselves.

It may be that you already have antivirus software and hardware firewalls in place, and that they're updated regularly. You may also have a strong authentication process and employ encryption to protect sensitive data. In addition, you have invested in an intrusion-detection system, which alerts you to suspicious activity. With all these protective measures, you may feel that you're reasonably protected against fraudulent transactions and any kind of Web site defacement. However, according to many vendors of application security software, they can demonstrate and prove that it's not difficult to break into a Web site by exploiting known shortcomings in Web-related languages including HTML and the Common Gateway Interface (CGI).

In conclusion, it needs to be recognized that application development does open the door to a variety of new and different security concerns, which may have not been a problem in the security infrastructure prior to introducing the application. It's also important to realize that security risks associated with application data are potentially harmful to business interests as a security breach of an organization's network. Comprehensive testing of the application and its interfaces should be part of the Web development process to ensure security and stability of an application. In addition, sensitive data should be protected with encryption. Lastly, despite all the security protections put in place, shortcomings may still exist due to the programming practices incorporated by the developer and the nature of the programming language(s) used in the application development process.