Start Secure. Stay Secure.TM

USAID: Relief from Web Application Security Bugs
CASE STUDY
How the U.S. Agency for International Development is attaining higher levels of Web application security throughout more than 70 countries with SPI Dynamics' WebInspectTM and its Assessment Management PlatformTM (AMP). Background
Federal agencies continue to leverage the Internet and Web applications to improve the exchange of intra-government information, streamline costs, and better serve the needs of both businesses and citizens. It is estimated that federal agencies will invest about $6 billion annually on e-Government initiatives by 2009. But as with any new technology, increased reliance on Web applications and Web services means federal agencies face new types of risks. The attacks launched against Web applications are complex, and finding Web application flaws is difficult. While traditional vulnerability scanners spot many misconfiguration errors, network vulnerabilities, and whether patches are up to date, Web application attacks can be launched easily against the business and programming logic embedded deep inside the application - a place where network scanners can't see. Attacks against Web applications continue to increase. According to the Web Application Security Consortium (WASC), these types of attacks more than tripled from 2004 to 2005. Because of the privacy laws under which federal agencies operate - from The Privacy Act of 1974 to the E-Government Act of 2002 - the security and privacy of Web and internal intranet applications is more vital than ever. That's why Web application security is so important to Phil Heneghan, the Chief Information Security Officer (CISO) for the U.S. Agency for International Development (USAID). The independent government agency employs 8,000 and operates field offices in more than 70 countries. Its mission: promote the aims of the nation's foreign policy by working to expand democracy and helping to improve the lives of the world's citizens. USAID fosters economic growth in poverty-stricken areas around the globe to help advance peace, stability, and developing democracies. USAID is headquartered in Washington, D.C., and like all federal agencies, it must comply with a myriad of regulations aimed at protecting the confidentiality and integrity of its information. As the agency increased its reliance on intranet and Web applications to share and exchange information around the globe, security in this area became paramount.

"WebInspect is great. It's certainly more mature, and appears more effective, than the other products that I've seen on the market. An additional driving factor for our selection of SPI Dynamics is remote access - WebInspect and AMP provide true enterprise-class access so you can drill into an application from anywhere."
Sean Wilkerson Information Security Engineer for USAID

USAID: Relief from Web Application Security Bugs
Web Applications: Where Privacy and Security Concerns Converge
The Federal Information Security Management Act (FISMA) requires government agencies to maintain and document an effective risk management program. This means that USAID's security team must understand the threats and vulnerabilities aimed at their infrastructure from deep within the operating systems all the way up to externally-facing Web applications so important to its global mission. The House Government Reform Committee publishes FISMA grades annually that evaluate each agency's information security program. In 2005, USAID received an A+ rating for the second year in a row. These scores reveal the strength of the risk management program USAID has put in place. It includes continuous network vulnerability scans, layered firewall and IDS defenses, and the daily collection of data that profiles its risk posture; yet none of these defensive and proactive security measures drill into the vulnerabilities that lay deep within Web applications. These include vulnerabilities in programming logic, unchecked inputs, and other errors that create unwanted points of entry for attack and compromise. The agency wanted to ensure that these risks didn't exist within any of their external or internal Web applications. "The types of vulnerabilities introduced by Web applications are where standard vulnerability scanners fall short. Web application security creates a very specific need and set of challenges," says Bill Geimer, program manager for the USAID CISO. To make matters even more challenging, many USAID overseas missions are developing and deploying their own Web applications. So, while any newly-installed application is quickly caught by USAID's review process, the agency needed a way to consistently ensure that Web application vulnerabilities wouldn't be introduced to the network. "We wanted a way to evaluate these projects, and ensure that they're uniformly and securely coded. We have missions and Web applications around the world, and we needed to make sure these apps are as secure as the rest of our infrastructure," says Geimer. In the end, SPI Dynamics and its WebInspect Web application vulnerability scanner and AMP came out on top. The market vetting process revealed that WebInspect provided the most accurate and comprehensive way to assess Web applications and Web services for vulnerabilities and related security problems. SPI Dynamics' Web application vulnerability database, SecureBaseTM, holds more than 4,239 unique security checks. And WebInspect, combined with AMP, provides a scalable and distributed Web application security and quality assurance platform. The combination supplies unlimited, automated, and thorough application security assessments, while giving security and quality assurance teams a consolidated, dashboard view into an organization's Web development security risk posture and policy compliance. Because AMP makes highly-customizable distributed access possible, security groups, developers, and quality assurance teams can conduct Web application security checks from anywhere to identify, report, and remedy defects in both custom and thirdparty developed applications. The installation of AMP 2.0 went smoothly, says Wilkerson. "Its features and usability provided benefits to us right out of the box," he adds. Those key benefits include secure, centralized role-based administration, granular user and object permissions, and consolidation of detailed logs and reports. USAID's CISO team reports that WebInspect and AMP have significantly enhanced the agency's ability to manage Web application security efforts from the conception of an application and throughout its lifecycle. Today, members from USAID's development and security teams rely on WebInspect and AMP to catch and fix potential trouble spots throughout the development process. "Developers are using WebInspect regularly to verify and double check their work, while security auditors are using WebInspect to triple-check the security of an application," explains Geimer. Those scans are clean and accurate. "We haven't had a false-positive problem. The high and critical vulnerabilities it discovers are right on - and those are what we want to find," says Wilkerson. So now, should a Web application unexpectedly arise in one of the agency's overseas missions, AMP provides a "very quick way for us to determine if there are any security vulnerabilities associated with that application," says Geimer. "Over time, this will make our developers even smarter and much more security conscious," he adds.

CASE STUDY

Also, the federal government is currently seeking ways to share security knowledge and best practices among agencies. "The government is now looking at possible ways to leverage one agency's expertise as a service to provide to other agencies. We're hoping that WebInspect will be a big part of what our service offering might be," says Geimer. That's certainly good news for all, but the best news is the improved efficiency and security that WebInspect and AMP have brought to USAID's Web application development process. "The developers are excited. They love the idea of being able to so easily determine the security vulnerabilities in the applications they create, and to learn how they could code better and improve it through WebInspect," says Wilkerson. "WebInspect has opened our eyes to the myriad of scary things that can happen with Web applications. Prior to WebInspect, we would see an application and a system from the external perspective, without an in-depth analysis, and it looked like a relatively safe or benign application. Now we know better," says Wilkerson.

"Privacy is an increasing concern around FISMA. They're now starting to measure much more specifically and stringently in that area. We see SPI Dynamics as a great way to help improve our compliance in those areas."
Bill Geimer Program Manager for the USAID Information System Security Officer (ISSO)

Agency U.S. Agency for International Development (USAID) Scope 70 Countries Mission Promote the aims of the U.S., national security, democracy, and battle poverty through humanitarian aid. Size 8,000 employees Operational Challenge: Distributed, effective Web application security Solution SPI Dynamics WebInspect SPI Dynamics AMP

The Continuous Web Application Security Lifecycle
To evaluate these Web applications, the agency needed a comprehensive, effective, and highly-distributed scanning mechanism. Unfortunately, most Web application scanners don't provide any of those things. The agency compared 18 separate Web application vulnerability products and "at the very beginning, SPI Dynamics and WebInspect appeared that it could prove to be the best match for us," says Sean Wilkerson, information security engineer for USAID. "We wanted to be absolutely sure that when we made our recommendation, it was thoroughly vetted and that we fulfilled our due diligence," he says.

Information Sharing and Improved Privacy Compliance
While the initial WebInspect and AMP deployment focused on Web application security, the agency is l ooking for additional ways to leverage the technology. It is tailoring WebInspect to spot potentially sensitive information that could leak onto Web sites, such as Social Security numbers, and to ensure that USAID's privacy statement is present and up to date on every Web page, as required by law.

"WebInspect hammers on the application. It interrogates the application. And it gives us a better understanding of what Web application vulnerabilities could threaten our security."
Sean Wilkerson Information Security Engineer for USAID

115 Perimeter Center Place, Suite 1100, Atlanta, GA 30346 Tel: 678.781.4800 | Fax: 678.781.4850 | Email: info@spidynamics.com

Copyright ©2006, SPI Dynamics Incorporated. All Rights Reserved.