MS-ISAC National Webcast Initiative

National Webcast Initiative

Application Security

April 9, 2009

The following is a compilation of questions submitted to the presenters through the written Q and A tool during the webcast. The transcript has been edited for relevance.

Question: What testing tools or type of tools do you recommend for finding security flaws in the web based application that you want to buy?

Answer: Use a web application vulnerability scanner or if applicable a source code scanner

*********************************************

Question: Should we be concerned with online banking?

Answer: Online banking has their share of problems but PCI, GLB and other regulations are helping these sectors.

*********************************************

Question: This applies to outsourced or insourced coding. How do we deal with off the shelf software?
Answer: Performing vulnenerability assesment on any software whether it is off-the-shelf or custom is a good idea.

*********************************************

Question: Organized crime is pouring money into developing complex tools and attacks. What are the good guys doing to counter that?

Answer: Good guys are pouring more money into research and development for countermeasures.

*********************************************

Question: Is there any way to get out of theses problems such that the use ot the net is secure again?

Answer: No

*********************************************

Question: We all know the importance of writing secure code. What's the best way to get developers to agree to strenthen their code when they are hesistant to do so? How can you convince them to do so, when they are worried about their code changes "breaking" the app, or the database that it interfaces with, etc?

Answer: Employing security in the early phases of the SDLC is always helpfull. This way it is not convincing anyone but simply part of a process.

*********************************************

Question: As cloud computing and composite application structure grows, aren't application firewalls going to lose effectiveness? What do you recommend as first line of define in that future architecture model?

Answer: Actually in those cases application firewalls will be more effective since they are sitting right on top of the application.

*********************************************

Question: With all the tools we can apply to websites such as virus protection, firewalls etc., how do we know for sure we are indeed protected. My ISP may have security applied to their servers and I may have virus protection, but the potental is still there that we will be hacked and we don't even know when it occurs i.e. SQL injection?

Answer: You cannot eliminate risk but only can try to minimize it. If anyone tells you that you are 100% secure, run away from them.

*********************************************

Question: Is there any automatic testing tool for application security for automatic testing?
Answer: There are many tools that will help you automate the application vulnerability scan. However, we are not allowed to recommend any specific tool.

*********************************************

Question: Why don't we concentrate in getting the "best and brightest" to develop a "secure coding" case tools type of code generator for generating secure applications?
Answer: There are people working on that.

*********************************************

Question: How do we manage the SaaS or Cloud Computing vendors?

Answer: One thing would be to either perform the vulnerability assesments yourself against your application, or have the cloud computing vendor do the assesment regularly and share the results with you.