Infrastructure and network security is fine, but what about your enterprise applications?
By Ross O. Storey
19 May 2009
Last week in Singapore, I watched while hackers blithely drilled into the back-end databases of a US video rental company’s website, extracting subscriber names, e-mails and telephone numbers.
The exercise took about 10 minutes and they told me they could easily find credit card numbers if they had more time.
They did this simply by using Standard Query Language (SQL) which they typed into the top URL address bar of the company’s website. They told me that this language is what most computer programmers learn in their training and anyone with this knowledge can use it to interrogate back-end databases to find out confidential information.
In other words, an enterprise’s front door web page is too often an open back door into their valuable databases. Our guest hackers simply added some letters and symbols after the URL address, and, by a process of reading information provided in the error pages that came up, were able to retrieve names of specific files, which they used to further interrogate the database to find tables of information.
The hackers were not wearing black hats, they were actually employees of the world’s biggest software company, HP. And they gave their demonstration live from Atlanta, Georgia in the US, while I spoke directly to them from Singapore using HP’s amazing HP Halo Telepresence system, installed in a specialised room. The so-called ‘hackers’ were in Atlanta in the US, I was in Singapore and the exercise was also being watched, or listened to, by IT officials in India and Australia.
Real-time global conference
HP organised this four-nation telepresence video conference linking cities across the globe.
These professional hackers were Billy Hoffman, HP’s manager of their web security research group, Prajakta Jagdale and Matt Wood, both senior security researchers with the same HP group.
The point of the exercise was to show that attacking applications was the new wave of security threats to major enterprises across the world.
Network and infrastructure security were now relatively old hat, said the HP exerts, the new kid on the block for hackers was application security, directly exploiting the many software vulnerabilities that come with the latest programmer rush to develop snazzy Web applications—all too many which have security holes.
Security is not the major concern of Web developers and more and more lay people are becoming Web developers, because it’s getting easier.
The point is, say these professional hackers, that application security now requires a whole lifestyle approach. Developers need to fix software faults much earlier in the process, and applications need to be properly stress-tested, monitored and tested across their whole lifecycle.
Asia Pacific’s unique position
On the good news front, Hoffman said he believes countries in the Asia Pacific are in a unique position because they can leapfrog issues suffered by other major developing economies. Just like many Chinese people jumped straight to owning mobile phones, rather than having land lines first, Asia Pacific economies could adopt information security at a much faster rate.
What I took away from this fascinating planet-wide discussion was that with Web application security now a lifecycle issue and new techniques being developed daily by hackers wearing black hats, enterprises really need to put extra energy into a much broader information security strategy.
Ross O. Storey, currently the Managing Editor of Fairfax Business Media Asia, is responsible for the editorial content and production of MIS Asia, CIO Asia, Computerworld Singapore and Computerworld Malaysia magazines.
