Start Secure. Stay Secure.TM Web Application Security and SOX Compliance Are your web applications vulnerable? By Caleb Sima and Kevin Beaver Start Secure. Stay Secure.TM Web Application Security and SOX Compliance Table of Contents Background Overview of SOX Web Application Security's Ties to SOX Software Products That Can Help Conclusion For Further Reading About the Authors The Business Case for Application Security About SPI Labs About SPI Dynamics 1 1 3 6 8 9 9 10 10 11 © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. ii Start Secure. Stay Secure.TM Web Application Security and SOX Compliance Background The financial misdeeds of various high-profile executives in recent years prompted the creation of the U.S. Sarbanes-Oxley Act of 2002 (SOX). This law focuses on corporate financial reporting and is designed to hold executives, accountants, and auditors of public corporations to higher standards. It helps create a system of checks and balances that may not have been present before ­ at least in some corporations. SOX directly affects only public corporations, but there has been a trickle-down effect to private companies serving as business associates and other related capacities. Given this, public corporations and the private companies with which they do business need to understand SOX to ensure that their daily business practices are aligned with their specific requirements. SOX is not quite the IT-centric regulation that many make it out to be. Various business units and individuals must be involved including the CEO, CFO, legal counsel, internal auditors, and more. However, as with other regulatory requirements, it's impossible to ignore the IT and information security underpinnings of SOX. This law affects these areas just as much as it affects corporate finance departments and independent auditors. In fact, the information systems are where the corporate books are kept and managed, so there's no denying that IT is an essential element for corporate survival and SOX compliance. Overview of SOX The 1SOX legislation falls under the umbrella of the U.S. Securities and Exchange Commission (SEC) and was enacted on July 30, 2002, under 1 U.S. Sarbanes-Oxley Act of 2002, Public Law 107-204, July 30, 2002. See http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 1 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance President George W. Bush. SOX differs from other recent legislation involving information security and privacy such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). Instead, SOX pertains primarily to protecting financial records and helping to ensure the accuracy of financial reports, creating an indirect means for regulating corporate behavior. It applies to all U.S. public companies, foreign filers in U.S. markets, and privately held companies with public debt. SOX was not necessarily written with IT or information security in mind; however, it does contain various sections that directly affect these functions in today's corporations. This includes access and integrity controls on financial information as well as system monitoring and audit trails. These requirements are similar to common risk management processes typically present within most public corporations. The SOX regulation is relatively vague, but this is fairly typical of such a broad regulation. Of the several dozen sections in SOX, Section 404 ­ Management Assessment of Internal Controls affects IT and information security the most. The rules required by Section 404 that an annual internal control report shall: 1. State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and 2. Contain an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures for the issuer for financial reporting. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 2 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance The SEC has defined "internal control over financial reporting" as the maintenance of records and reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of assets related to financial statements. Obviously this involves many facets of IT. The original SOX regulation is only 66 pages in length, which can be misleading. It is critical to read and understand the law, its sanctions for non-compliance, and its subsequent amendments guided by appropriate legal counsel. Web Application Security's Ties to SOX At first glance, it may be unclear how Web application security can be tied to the internal controls associated with financial reporting required by SOX. However, looking at this from a fundamental information security and controls perspective, it becomes clear that Web application security is certainly a piece of the puzzle. In a hypothetical financial reporting situation, let's say that external auditors for a corporation find some suspicious accounting entries on the books. How did this occur? Was it intentional? Did a malicious insider or external attacker break into the system and cause this to happen? If the corporation has sound information security management practices in place to prevent application vulnerabilities ­ and has documentation to prove it ­ upper management can at least show that efforts were taken to secure the systems. The SOX 404 internal control requirements apply to any system that processes or maintains financial data. Given that most corporate financial records are stored, accessed, and maintained in electronic format, there is a significant correlation between this information and Web applications. Both third-party financial systems and home-grown financial applications often © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 3 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance have Web-based components. Certain components may be accessible from the Internet. Access, however, is often limited to authorized internal users. Having said that, these systems are certainly not immune from malicious attack. Study after study shows that that the majority of misdeeds occur inside the network perimeter. According to the 2005 U.S. Secret Service/CERT Coordination Center/SEI Insider Threat Study: Computer Sabotage in Critical Infrastructure Sectors, 57 percent of insider attacks studied involved the exploitation of systemic vulnerabilities in applications, processes, and/or procedures. In addition, 39 percent of the exploits were carried out by relatively sophisticated attacks that involved various scripts, scanning, probing, and spoofing. Web applications are undoubtedly within this realm of abuse. Of the three information security cornerstones ­ confidentiality, integrity, and availability ­ SOX 404 is most closely tied to integrity. Integrity involves ensuring that information is not modified or tampered with in an unauthorized fashion whether it's in transit or at rest. The U.S. Secret Service/CERT study found that 88 percent of the insider incidents involved modification and/or deletion of data, and 65 percent involved corruption of data ­ issues that seriously affect information integrity. Most businessrelated Web applications involve information integrity at several levels including database connectivity, application server logic, Web server controls, and the user application delivered via a Web browser. In addition to information integrity, there is also a reporting component required by SOX 404 that also ties into Web applications. For example, Web servers, database servers, and often the applications themselves have a logging function that creates audit trails for tracking who, what, and when. These audit trails not only provide the details necessary for system © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 4 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance monitoring and troubleshooting but are often used in a forensics capacity to investigate attacks against Web applications. In addition, audit trails can assist with and provide documented proof that ongoing Web application security assessments and audits are taking place. Like most information security initiatives, the SOX 404 requirements for compliance must be policy driven. This has strong ties to Web application security, considering the various policies needed in areas such as: · · · · · · · · · · · · User authentication Password management Access controls Input validation Exception handling Secure data storage and transmission Logging Monitoring and alerting System hardening Change management Application development Periodic security assessments and audits If policies are not in place and enforced with adequate business processes and technical controls, Web applications can easily expose financial systems to danger. Beyond implementing the necessary policies and processes, it is important to focus on detecting vulnerabilities so they can be fixed before they can be publicly discovered and exploited. An information risk assessment can help © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 5 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance with this. This type of security assessment looks at all aspects of the information security infrastructure and determines specific information threats, vulnerabilities, and risks. Analyzing Web applications that are critical front-ends to many of today's corporate financial information systems is a critical part of an overall information risk assessment. Furthermore, the ongoing audits required by SOX provide third-party validation that Web application security is where it needs to be in order to protect the integrity of financial information and reporting systems. Software Products That Can Help There are lots of technologies and tools that public corporations can use to support the various internal controls mandated by SOX to protect sensitive systems. The problem with relying on traditional network security products such as firewalls, intrusion detection systems, and encryption is that most Web-based attacks can still occur without being detected or responded to effectively. An ounce of prevention is worth a ton of cure in this situation; it is much better to keep the bad guys out altogether rather than to try to fend them off once they're inside the network. The only way to do this effectively is by performing proactive Web application vulnerability assessments from a malicious insider or external attacker point of view. There are various methods and tools that can used to assess the security controls of Web applications. The first option ­ manual testing ­ is a valuable way to find contextual vulnerabilities that only a human would be able to reasonably spot. However, testing for every possible Web application vulnerability could take weeks, months, or an indefinite amount of time to uncover if searched for manually. That assumes the person doing the testing knows of everything to check for and can keep abreast of the latest web application vulnerabilities. © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 6 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance Information technology is constantly changing and new security threats and vulnerabilities emerge practically every day. In addition, the more developers that are involved and the more complex corporate Web applications become, the harder it will be to manage existing and new vulnerabilities that are yet to be discovered. It is therefore essential to have the right tools to get the job done. Several types of commercial and open-source software tools can help Web developers, QA analysts, and security auditors find and fix Web application vulnerabilities. These tools can help determine initial risks in source code and production systems, as well as perform preventative testing during the software development lifecycle and post-deployment phases. With these tools, Web developers, QA analysts, penetration testers, and security auditors can run full, partial, or customized scans on Web applications or Web services on hosts throughout the enterprise that are associated with the financial reporting process. In addition, these tools can be used as a starting point for the creation or revision of SOX-related security standards, policies, and processes. This will help ensure that all the initial time, money, and effort spent implementing the proper SOX controls are smart investments. When searching for Web application security software tools to help with SOX compliance, it is important to consider the following features: Overall ease of use Testing flexibility (e.g., manual stepping, automated crawling, input variations, etc.) Customizable security policies based on tests that need to be run Automatic updates for new Web vulnerabilities and application patches © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 7 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance Ability to prioritize Web security vulnerabilities discovered Level of reporting (e.g., executive, technical, QA, etc.) Software platform and development languages supported Vendor or open source team reputation in the industry and long-term viability Costs related to acquiring, using, and supporting the tool All things considered, there is no more flexible or useful way of performing security assessments and ongoing audits on Web applications to help prepare the organization for SOX compliance than by using the right software tools. The bottom line is that SOX compliance and information security are not a one-time event. Organizations must work diligently and consistently to ensure that Web application weaknesses are found and threats are defended against as quickly as possible. This can only be done effectively with minimal costs by using powerful integrated design, static analysis, and Web application vulnerability assessment tools. Conclusion It is critical to remember that SOX Section 404 and its requirements are just a piece of the overall puzzle; therefore, IT departments will not (and should not) control or drive all compliance initiatives. However, they can certainly help the cause by deploying technologies that automate and enforce the necessary internal controls for financial reporting systems. Achieving SOX compliance is not impossible, but there are a few key elements beyond ethical leadership that are necessary to achieve and © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 8 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance maintain it. Public corporations must implement the proper technical information access controls and use quality tools to ensure that information is kept secure and in the right hands. These, combined with practical security policies and processes, will go a long way toward providing benefits that not only keep corporate executives out of the hot seat with regulatory officials, but also provide business value well beyond SOX compliance. For Further Reading The generally accepted internal control framework for SOX compliance is published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Refer to www.coso.org for more information. About the Authors Caleb Sima is a co-founder of SPI Dynamics, Inc., a Web application security products company. He currently holds dual roles as CTO and director of SPI Labs, SPI Dynamics' R&D security team. Prior to co-founding SPI Dynamics, Mr. Sima worked for the elite X-Force R&D team at Internet Security Systems, and as a security engineer for S1 Corporation. He is a frequent speaker and press resource on Web application security testing methods and has contributed to various publications, including Baseline Magazine, (IN)Secure Magazine, ISSA Journal and Security Management Magazine, and been featured in the Associated Press. Kevin Beaver, CISSP, is an independent information security consultant, author, and speaker. He has more than 18 years of experience in IT and specializes in performing information security assessments. Mr. Beaver has written five books including "Hacking Wireless Networks For Dummies" and "Hacking For Dummies" (both by Wiley), as well as "The Definitive Guide to © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 9 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance E-mail Management and Security" (Realtimepublishers.com) and "The Practical Guide to HIPAA Privacy and Security Compliance" (Auerbach). DISCLAIMER: The authors have used their best efforts in the preparation of this whitepaper. The information and opinions provided herein do not constitute or substitute for legal or other professional advice. Readers should consult their own legal or other professional advisors for individualized guidance regarding the application of the SOX Act to their particular situations and in connection with other compliance-related concerns. The Business Case for Application Security Whether a security breach is made public or confined internally, the fact that a hacker has accessed your sensitive data should be a huge concern to your company, your shareholders and, most importantly, your customers. SPI Dynamics has found that the majority of companies that are vigilant and proactive in their approach to application security are better protected. In the long run, these companies enjoy a higher return on investment for their ebusiness ventures. About SPI Labs SPI Labs is the dedicated application security research and testing team of SPI Dynamics. Composed of some of the industry's top security experts, SPI Labs is focused specifically on researching security vulnerabilities at the Web application layer. The SPI Labs mission is to provide objective research to the security community and all organizations concerned with their security practices. SPI Dynamics uses direct research from SPI Labs to provide daily updates to WebInspect, the leading Web application security assessment software. SPI © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 10 Start Secure. Stay Secure.TM Web Application Security and SOX Compliance Labs engineers comply with the standards proposed by the Internet Engineering Task Force (IETF) for responsible security vulnerability disclosure. SPI Labs policies and procedures for disclosure are outlined on the SPI Dynamics web site at: http://www.spidynamics.com/spilabs.html. About SPI Dynamics SPI Dynamics' suite of Web application security products help organizations build and maintain secure Web applications, preventing attacks that would otherwise go undetected by today's traditional corporate Internet security measures. The company's products enable all phases of the software development lifecycle to collaborate in order to build, test and deploy secure Web applications. SPI Dynamics' internal research and development group, SPI Labs, is widely recognized as one of the leading authorities in Web application security. Founded in 2000 by security specialists, SPI Dynamics is privately held with headquarters in Atlanta, Georgia. SPI Dynamics 115 Perimeter Center Place Suite 1100 Atlanta, GA 30346 Telephone: (678) 781-4800 Fax: (678) 781-4850 Email: info@spidynamics.com Web: www.spidynamics.com © 2005 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 11