Start Secure. Stay Secure.TM Pillars of Application Quality: Security, Functional, and Performance Testing Are your web applications vulnerable? Start Secure. Stay Secure.TM Pillars of Application Quality Table of Contents Introduction Application Security Is a Quality Issue Why Insecure Web Applications Are the Norm The Result Needed: A Better, More Secure Application Development Process A Web Application Security Solution for QA Conclusion The Business Case for Application Security About SPI Dynamics Contact Information 1 2 4 5 6 7 10 12 12 13 © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. ii Start Secure. Stay Secure.TM Pillars of Application Quality Introduction Web application security has become an urgent need as organizations increasingly adopt the Internet for essential daily business operations. And yet, the traditional development and quality assurance (QA) cycle for building Web applications does not incorporate security into existing processes. This inability to test and remediate vulnerabilities (defects with a security implication) before an application goes into production leaves confidential data within a Web application at great risk for attack or misuse. The losses generated by this security gap are significant and expensive ­ up to $60 billion annually (IDC/IBM Systems Sciences Institute). According to a Gartner Research Note dated September 10, 2003, failure to identify and repair security vulnerabilities during the software development process carries the following costs and opportunities: Removing a defect after software is operational can cost between two and five times as much as correcting the error within the development and QA process. Defect correction during code and unit tests can reduce the cost impact by an additional factor of between three and 20. If 50 percent of software vulnerabilities were removed prior to production use, enterprise management costs would be reduced by 75 percent each. Add increasing accountability for proof of regulatory compliance due to government and industry mandates, and the need for ­ and benefits from ­ an automated tool that integrates security into the application development process becomes clear. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 1 Start Secure. Stay Secure.TM Pillars of Application Quality Application Security Is a Quality Issue Web-based applications have become a crucial tool for connecting businesses and customers to enterprise applications over the Internet. The range of Web applications in use is truly staggering. Online storefronts. Internet banking. Business-to-business exchanges. Online auctions. Almost any business process can connect to the Internet through a Web application. Many ­ if not most ­ businesses deploy Web-based technologies under the assumption that gateway security measures such as firewalls and intrusion detection and prevention systems are sufficient to protect Web applications from attack or misuse. However, insecure applications create a number of easy opportunities for malicious behavior. These vulnerabilities cannot be corrected by perimeter security point solutions. Only code modification can prevent these forms of denial of service or theft of private and proprietary information once the application has moved into a production environment. According to Gartner (2003), at least 80 percent of applications put into production through 2007 will fail due to poor quality issues. The same report states that poor quality is responsible for 80 percent of unplanned downtime. Insecure Web applications therefore carry the potential for extremely disruptive and costly losses for an organization. Some liabilities are obvious: loss of business during a denial-of-service attack, loss of trade secrets, loss of customer confidence, and shareholder liability due to poor security practices. Other risks, primarily regulatory in nature, are only now becoming fully understood. For example, the following well-publicized regulations all emphasize the need for security, especially at the application level: © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 2 Start Secure. Stay Secure.TM Pillars of Application Quality Visa Cardholder Information Security Program (CISP) ­ Mandates detailed requirements for online security with a rigorous burden of proof placed on any merchant or service provider wishing to access the Visa financial services network. Failure to comply with CISP means suspension from the Visa network ­ a crippling blow for any company. California Bill 1386 (CA1386) ­ Requires any business with operations or customers in California to meet strict standards for the protection of private customer information. A potential breach in security requires public notification of each affected individual or customer, thereby ensuring that negative publicity is all but unavoidable. Civil and/or criminal penalties have yet to be determined. Sarbanes-Oxley ­ Mandates that senior management must accept personal responsibility for reviewing all financial statements for accuracy and legal compliance. Since poor security practices make these assurances impossible to prove, public corporations are now forced to document security practices at all levels of their organizations. Add in HIPAA (healthcare), Gramm-Leach-Bliley (banking), European Union privacy regulations and an ever-increasing number of other legislative initiatives, and the need for demonstrable, verifiable application security becomes acute. These regulations create an environment in which organizations must prove that all reasonable measures for security are verifiable and functional. Senior management may face corporate or personal responsibility when a security incident occurs, but proof of best practices can only be established when line © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 3 Start Secure. Stay Secure.TM Pillars of Application Quality managers, individual programmers, and QA professionals can demonstrate their own best practices. For the first time, the application development process itself has become part of corporate governance and regulatory compliance. In short, Web application security is now a quality issue. Higher quality applications (from a security perspective) and secure code significantly reduce threats to data confidentiality, integrity, and availability. Insecure code opens organizations to potential legal, regulatory and shareholder liability. Those individuals responsible for selecting, developing, testing, and deploying a Web application must now be prepared to help their employer answer for any lapses in security resulting from poorly written and/or inadequately tested Web applications. Why Insecure Web Applications Are the Norm There are several reasons why insecure Web applications find their way into the marketplace. Time-to-market pressures often shorten development and deployment schedules for Web applications, placing a heavy burden on the QA team. This economic necessity means that testing a product for security after it has passed QA is unlikely to take place ­ especially in the absence of automated security testing tools built specifically for QA professionals. Traditional QA best practices measure the performance and integrity of an application's features, but not its security. Security expertise, if available at all, usually resides elsewhere within the IT organization. Those security specialists almost always focus on network and operating system security, not application development. As a result, security products and services typically focus on the needs of security administrators and IT managers. This concentration on IT © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 4 Start Secure. Stay Secure.TM Pillars of Application Quality infrastructure means that, from the perspective of a Web application, security addresses the symptoms of an attack, but not the root cause. Several misconceptions perpetuate this shortcoming. First, security is considered to add time to a development process already under intense pressure to be completed sooner, with more features, at lower cost. Second, security is mistakenly thought to be difficult to teach and to measure. Third, testing tools are expected to focus only on functional and performance defects, and are assumed not to have the capability to check for code-level security defects. Developers and QA staff, therefore, have been isolated from responsibility for application security and the business risks and losses associated with poor security practices. With no incentive to implement security within the development process, the goal is simply to get a working product into production as rapidly as possible. Security becomes someone else's problem ...until an incident occurs. The Result Lack of security within the Web application development process means that the burden of protection for an online business process shifts to the staff that deploys and secures an application. And yet, individuals in these roles are usually the ones least likely to understand the intricacies of the application and how to prevent a security incident from evolving into a serious business crisis. That's because most code-level security vulnerabilities result from common programming errors. While it is true that the marketplace itself will uncover many application vulnerabilities over time, the marketplace is also unpredictable as to when those weaknesses will surface. Therefore, application developers and QA © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 5 Start Secure. Stay Secure.TM Pillars of Application Quality teams must divert attention from new products to respond to serious security flaws as they appear. This reactive posture is costly and disruptive for application development, which depends on an orderly, structured progression from application concept to delivery. In short, code-level modifications require development and QA resources, including new build and test cycles to ensure that the Web application is both functional and secure. The remediation of any defect ­ security or functional ­ after the application is operational costs an organization exponentially more in resources and time than if it were fixed prior to production. No one wants to be held responsible for the performance of someone else's code. For example, the general dissatisfaction with Microsoft's application security ­ deserved or not ­ has helped fuel much of the growing interest in alternatives such as Linux. Microsoft has responded with its Trustworthy Computing initiative, making application security the bedrock for the company's future success. Web applications must follow a similar evolution. Needed: A Better, More Secure Application Development Process In a typical Web application development cycle, the QA team tests for functional and performance defects, then reports the results to the development team so they can correct any defects within an allotted schedule. Unfortunately, many security vulnerabilities are not detected until the application is released for production. If the application is deployed internally, the security team that supervises IT infrastructure may uncover potential problems as they monitor networks and servers for unexpected activity. Applications produced for sale rely on customer or technical support reports to identify critical defects. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 6 Start Secure. Stay Secure.TM Pillars of Application Quality Once an issue has been confirmed, the development team must make codelevel changes, which diverts resources intended for new releases. QA must then test the updated code (or even the entire Web application) to ensure that those specific vulnerabilities are no longer susceptible to exploitation. A Web Application Security Solution for QA Unfortunately, the availability of application security testing tools is extremely limited. Existing tools such as code checkers are complex and require security and vulnerability expertise that is rarely available within QA organizations. Businesses need a simplified, cost-effective means to incorporate security expertise into development and QA processes without impacting production schedules or resources. Currently, the only product that meets these rigorous requirements is QAInspectTM from SPI Dynamics, Inc. This innovative testing tool merges application security expertise within QA environments to produce an integrated, highly automated approach to security and application development. This easy-to-use unification of previously separate processes has built a growing legion of satisfied customers because it recognizes the following business realities: Web applications are complex, dynamic creations that span multiple platforms and protocols. Web applications by definition create a security risk because they breach the network perimeter. As Web applications grow in sophistication and number, the potential for critical vulnerabilities grows far faster than discovery or patching efforts can possibly match. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 7 Start Secure. Stay Secure.TM Pillars of Application Quality QA personnel, software testers, and developers are not security experts, and security professionals are not QA personnel, software testers, or developers. Web applications function in a dynamic environment. Security testing must recognize this reality and provide direction for how an application will meet user needs on an ongoing basis prior to the application's release. QAInspect reveals exactly where and how a security error occurs. Exposures caused by the test environment can easily be separated from exposures caused by insecure code. It then provides remediation guidance for both. With QAInspect, QA professionals can maximize application quality, measure application security, and monitor performance ­ all within a familiar QA environment. Functional performance and security testing are now managed through a single platform so that applications reach production with higher quality at the lowest possible cost. QAInspect's key benefits include: Proactive Security Implementation ­ Security requirements easily integrate into an application testing plan so that security becomes a core part of the quality testing process. Built-In Security Expertise ­ Comprehensive reports provide detailed descriptions of security defects and potential business © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 8 Start Secure. Stay Secure.TM Pillars of Application Quality impacts, with severity, recommended fix information and links to additional reference material available for each vulnerability discovered. Integrated Defect Reporting ­ Security defects are reported like any other, so security vulnerabilities are prioritized and resolved like any performance or functional defect. Ease-of-Use ­QAInspect integrates seamlessly with industry leading QA and testing tools to easily add security into existing processes without requiring security expertise or additional resources. Best-Practices Implementation ­ QAInspect identifies and eliminates security defects early in the application development lifecycle to ensure reliable, available and secure Web applications. By combining automated security testing with functional and performance testing within a single test environment, QAInspect delivers the industry's first and only comprehensive best-practices approach to quality management. This offering significantly minimizes the risk of deploying mission-critical applications, pinpoints application bottlenecks, improves overall infrastructure performance, and standardizes both performance and security ­ especially when compared to traditional QA processes. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 9 Start Secure. Stay Secure.TM Pillars of Application Quality QAInspect is fully integrated with Mercury TestDirector Conclusion "Providing a platform to assist QA testing teams during the security defect removal process and before applications reach production offers significant ROI for our organization. An integrated solution between SPI Dynamics' QAInspect and Mercury's TestDirector provides us with the ability to test, report, validate, and manage security issues as we build and deploy critical Web applications." Edward Liebig Global I.S. Security CISO Manulife Financial Web applications must be secure to fulfill their economic promise and protect organizations against liability and loss. QAInspect delivers automated security information that QA professionals and software testers can access at © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 10 Start Secure. Stay Secure.TM Pillars of Application Quality any point in the application development process to identify and remediate potential security defects. This information does not require special security expertise on the part of the development or testing team. Better yet, its integration into industry-leading QA tools means that security can be built into an application from the beginning without delaying release schedules. The benefits of functional, performance and security testing within a single development process reach across all levels of an organization. For developers, it means much less time spent on patches for existing products and more time building new products or features. QA teams gain the ability to detect and correct security flaws prior to an application's release without having to become experts in application security. The overall development cycle becomes a verifiable and defensible bestpractices environment in which documentation of sound security oversight helps prove corporate regulatory compliance and defend against potential tort liability. QA regains control over a critical area of what customers consider to be an essential part of application quality. Security staff become advisors, not adversaries, within the development process. The corporation itself benefits from QAInspect through superior, secured code that creates a greater perception of quality within the marketplace. With fewer patches, updates, or service interruptions caused by insecure code, increased customer satisfaction can be used to generate a potentially substantial competitive advantage. Finally, and most importantly, the organization receives simplified proof of regulatory compliance and lessened exposure to corporate, executive, or shareholder liability from service interruption or breaches of security. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 11 Start Secure. Stay Secure.TM Pillars of Application Quality There is a better way to build and test Web applications. QAInspect's automated, integrated approach to application security testing is the key to this smarter, faster, better way to move essential business operations online ­ quickly, safely and securely. The Business Case for Application Security Whether a security breach is made public or confined internally, the fact that a hacker has accessed your sensitive data should be a huge concern to your company, your shareholders and, most importantly, your customers. SPI Dynamics has found that the majority of companies that are vigilant and proactive in their approach to application security are better protected. In the long run, these companies enjoy a higher return on investment for their ebusiness ventures. About SPI Dynamics SPI Dynamics, the expert in web application security assessment, provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Since its inception, SPI Dynamics has focused exclusively on web application security. SPI Labs, the internal research group of SPI Dynamics, is recognized as the industry's foremost authority in this area. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures. The security assurance provided by WebInspect helps Fortune 500 companies and organizations in regulated © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 12 Start Secure. Stay Secure.TM Pillars of Application Quality industries -- including financial services, health care and government -- protect their sensitive data and comply with legal mandates and regulations regarding privacy and information security. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. Contact Information SPI Dynamics 115 Perimeter Center Place Suite 1100 Atlanta, GA 30346 Telephone: (678) 781-4800 Fax: (678) 781-4850 Email: info@spidynamics.com Web: www.spidynamics.com © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 13