Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance Are your web applications vulnerable? By Kevin Beaver and Caleb Sima Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance Table of Contents Introduction Overview of GLBA GLBA Compliance and Web Application Security Software Products That Can Help Conclusion About the Authors The Business Case for Application Security About SPI Labs About SPI Dynamics About the WebInspect Product Line Contact Information 1 1 3 5 6 7 8 8 9 Error! Bookmark not defined. 9 © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. ii Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance Introduction In our age of increased information privacy and security requirements, organizations working in the financial industry must take action to secure their Web applications to protect the confidential and nonpublic information (NPI) that they store, transmit, and receive. This isn't just good business practice. It is federally mandated in the United States through the GrammLeach-Bliley Act (GLBA). GLBA mandates, among other things, the privacy and security of NPI from the various threats and vulnerabilities associated with information management. As it relates to Web application security, the GLBA security requirements are a set of information security "best practices" that cover determining risks, implementing proper controls, and performing ongoing assessments to ensure information is continuously protected. Achieving GLBA compliance is not impossible, but a few key elements are necessary to achieve and maintain it. Organizations must implement the proper information access controls and possess the appropriate tools to ensure that information is kept secure. These, combined with practical security policies and processes, will go a long way toward keeping NPI secure and will also provide value well beyond GLBA compliance. Overview of GLBA The 1GLBA legislation, which falls under the umbrella of the U.S. Federal Trade Commission, was enacted in 1999 under President Bill Clinton. Similar to the Health Insurance Portability and Accountability Act (HIPAA) regulations 1. Federal Trade Commission, Standards for Safeguarding Customer Information; Final Rule. Federal Register document 16 CFR Part 314, May 23, 2002. http://www.ftc.gov/privacy/privacyinitiatives/glbact.html © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 1 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance in the healthcare industry, GLBA focuses on the privacy and security of NPI, which is essentially personal financial information. This NPI is defined in the GLBA Financial Privacy Rule as any financial information that is personally identifiable, such as name, social security number, income, and other information that meets one of the following criteria: · · · Provided by a customer to a financial institution Results from any transaction with the consumer or any service performed for the consumer Information otherwise obtained by the financial institution GLBA specifically applies to financial institutions such as banks and brokerage firms, but may also cover certain affiliates and service providers of these institutions as well. The GLBA Safeguards Rule, which is the section that's applicable to Web application security, recommends information security best practices. The compliance date for this rule was May 23, 2003. The objectives, as listed in the rule itself, are as follows: · · · Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer The Safeguards Rule is nothing more than information security best practices, but for those financial organizations that fall under the scope of GLBA, it still has to be implemented nonetheless. The positive thing about the Safeguards Rule is that it is flexible and scalable, regardless of the size of the organization. Organizations that must comply with GLBA must do so now and on an ongoing basis to effectively protect NPI and avoid legal liabilities. In most © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 2 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance cases, business associates of financial institutions must have adequate safeguards in place to protect NPI while it is in their possession as well. Securing Web Applications From a fundamental information security and controls perspective, it is clear that Web application security is crucial to GLBA compliance. The requirements for GLBA compliance apply to any system that processes or maintains NPI. Given that most, if not all, financial records are stored, accessed, and maintained in electronic format which often have Web-based components, there is a significant correlation between this information and Web applications. In addition, there are system monitoring components required for GLBA compliance that tie into Web applications. Web servers, database servers, and often the applications themselves have a logging function that creates audit trails for tracking who, what, and when. These trails not only provide the details necessary for system monitoring and troubleshooting, but also are often used in a forensics capacity to investigate attacks against Web applications. Audit trails can also assist with and provide documented proof that ongoing Web application security assessments and audits required to achieve GLBA compliance are taking place. As with most information security initiatives, the requirements for GLBA compliance are policy-driven. To meet the risk assessment and management requirements, organizations doing business in the financial industry will undoubtedly need security controls in the following areas (even though these areas are not directly specified in the high-level Safeguards Rule elements): · · User authentication Password management © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 3 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance · · · · · · · · · · · · Access controls Input validation Exception handling Secure data storage and transmission Logging Monitoring and alerting System hardening Change management Application development Incident response Business continuity Periodic security assessments and audits If security policies designed to maintain GLBA compliance are not in place and enforced with adequate business processes and technical controls, Web applications can easily expose financial systems and NPI to unauthorized users. Beyond implementing the necessary policies and processes, another important element of GLBA compliance is to focus on detecting vulnerabilities in the software lab so they can be fixed before they are discovered and exploited in the field. An information risk assessment looks at all aspects of the information security infrastructure and determines specific information threats, vulnerabilities, and risks. This is not only essential for determining which controls to implement, but it is also a requirement for GLBA compliance. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 4 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance Analyzing Web applications that are critical front ends to many of today's financial information systems is a critical part of this assessment, and the ongoing evaluations required for GLBA compliance validate that Web application security is where it needs to be to protect the confidentiality and integrity of NPI. Software Products That Can Help Financial organizations and other companies that must comply with GLBA have many technological options for supporting the various internal controls needed to achieve GLBA compliance and to protect sensitive systems. However, the problem with relying on traditional network security products such as firewalls, intrusion detection systems, and encryption to ensure GLBA compliance is that most Web-based attacks can still occur without being detected or responded to effectively. Attackers can be prevented from accessing the network altogether by performing proactive Web application vulnerability assessments. There are various methods and tools that can be used to assess the security controls of Web applications. The first option ­ manual testing ­ is a valuable way to find contextual vulnerabilities that only a human would reasonably be able to spot. However, testing for every possible Web application vulnerability could take weeks, months, or an indefinite amount of time to uncover if searched for manually. That assumes the person doing the testing knows of everything to check for and can keep abreast of the latest Web application vulnerabilities. A variety of software tools can help application developers fulfill the testing requirements mandated by GLBA. These tools can be used to identify initial risks in source code and production systems, as well as to perform preventative testing for GLBA compliance during the software development © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 5 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance lifecycle and post-deployment phases. With these tools, Web developers, QA analysts, penetration testers, and security auditors can run full, partial, or customized scans on Web applications or Web services on hosts throughout the enterprise that are associated with NPI to ensure GLBA compliance. In addition, these tools can be used as a starting point for the creation or revision of security standards, policies, and processes that are necessary for GLBA compliance. This will help ensure that all the initial time, money, and effort spent to establish GLBA compliance are smart investments. When searching for Web application security software tools to help with GLBA compliance, it is important to consider the following features: · · · · · · · · · Overall ease of use Testing flexibility (e.g., manual stepping, automated crawling, or input variations) Customizable security policies Automatic updates and application patches for new Web vulnerabilities Prioritization of discovered Web security vulnerabilities Level of reporting (e.g., executive, technical, QA) Support for specific software platforms and development languages Vendor or open source team reputation and long-term viability Costs related to acquiring, using, and supporting the tool Conclusion The bottom line is that GLBA compliance and information security are not one-time events. Organizations must work diligently and consistently to ensure that Web application weaknesses are found and threats are defended against as quickly as possible. This can only be done effectively with minimal © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 6 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance costs by using powerful, integrated design, static analysis, and Web application vulnerability assessment tools. There is no more flexible or useful way of performing security assessments and ongoing audits on Web applications to help prepare the organization for GLBA compliance than by using the right software tools. It is critical to remember that the GLBA Safeguards Rule and GLBA compliance are just a piece of the overall puzzle; IT departments will not (nor should they) control or drive all GLBA compliance initiatives. However, they can certainly help the cause of GLBA compliance by deploying technologies that automate and enforce the necessary internal controls for financial information systems. About the Authors Kevin Beaver, CISSP, is an independent information security consultant, author, and speaker with Atlanta, GA-based Principle Logic, LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments. Mr. Beaver has written six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), The Definitive Guide to Email Management and Security (Realtimepublishers.com), and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). Caleb Sima is a co-founder of SPI Dynamics, a Web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics' research and development security team. Prior to co-founding SPI Dynamics, Mr. Sima was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Mr. Sima is a regular speaker and press resource on Web © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 7 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance application security testing methods, has contributed to (IN)Secure Magazine and Baseline Magazine, and has been featured in the Associated Press. DISCLAIMER: The authors have used their best efforts in the preparation of this whitepaper. The information and opinions provided in this whitepaper do not constitute or substitute for legal or other professional advice. Readers should consult their own legal or other professional advisors for individualized guidance regarding the application of HIPAA to their particular situations and in connection with other compliance-related concerns. The Business Case for Application Security Whether a security breach is made public or confined internally, the fact that a hacker has accessed your sensitive data should be a huge concern to your company, your shareholders and, most importantly, your customers. SPI Dynamics has found that the majority of companies that are vigilant and proactive in their approach to application security are better protected. In the long run, these companies enjoy a higher return on investment for their ebusiness ventures. About SPI Labs SPI Labs is the dedicated application security research and testing team of SPI Dynamics. Composed of some of the industry's top security experts, SPI Labs is focused specifically on researching security vulnerabilities at the web application layer. The SPI Labs mission is to provide objective research to the security community and all organizations concerned with their security practices. SPI Dynamics uses direct research from SPI Labs to provide daily updates to WebInspect, the leading Web application security assessment software. SPI © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 8 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance Labs engineers comply with the standards proposed by the Internet Engineering Task Force (IETF) for responsible security vulnerability disclosure. SPI Labs policies and procedures for disclosure are outlined on the SPI Dynamics web site at: http://www.spidynamics.com/spilabs.html. About SPI Dynamics SPI Dynamics, the expert in web application security assessment, provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Since its inception, SPI Dynamics has focused exclusively on web application security. SPI Labs, the internal research group of SPI Dynamics, is recognized as the industry's foremost authority in this area. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures. The security assurance provided by WebInspect helps Fortune 500 companies and organizations in regulated industries -- including financial services, health care and government -- protect their sensitive data and comply with legal mandates and regulations regarding privacy and information security. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. Contact Information SPI Dynamics Telephone: (678) 781-4800 © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 9 Start Secure. Stay Secure.TM Web Application Security and GLBA Compliance 115 Perimeter Center Place Suite 1100 Atlanta, GA 30346 Fax: (678) 781-4850 Email: info@spidynamics.com Web: www.spidynamics.com © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 10