Threats to applications have evolved beyond those addressable by protocols and cryptography to the software itself. This lack of security foresight has cost billions in lost revenue and now threatens the information technology infrastructure upon which the worldwide economic engine relies.
White paper download
Introduction to application security
> Download our paper on Application Security.
Current state of application security
The current state of Application Security reflects the fact that security has been an afterthought. Protection of data in transit and storage was the primary concern, and cryptography successfully
addressed this problem. However, the threats to applications
have evolved beyond those addressable by protocols and cryptography to the software itself. This lack of security foresight has cost billions in lost revenue and now threatens the information technology infrastructure upon which the worldwide economic engine relies.
Application Security, the protection of an application against security threats, is a difficult task. Application Security must now extend beyond traditional network and data security to incorporate the need for Software Protection. The approach to Application Security must also be driven by a clear and thorough understanding of the potential threats at each point in the system or network.
Protecting applications against security threats
Application Security is the protection of an application against security threats. This is a difficult task, as the application designer or corporate security manager must incorporate defenses against every imaginable attack, whereas an attacker only has to find one vulnerability or point of attack to succeed. Past techniques of protecting applications have certainly been limited, but new technology has been developed to solve this challenging problem.
Application Security is comprised of Network Security, Data Security and Software Protection:
Network security
Network Security addresses external attacks generally against resources inside the firewall providing a service across a network. Network security has traditionally been addressed using firewalls, intrusion detection systems and virus scanners.
Data security
Data Security is the protection of data used locally by an application or transmitted between users and servers. Cryptography is the main solution here as it is highly effective
at protecting data during transmission and storage
by ensuring its integrity and confidentiality.
Software protection
Software Protection is the protection of the software, or services rendered by the software, from attacks, thereby preventing theft of intellectual property and licensed content and ensuring that the software continues to function as intended. Typically these attacks include reverse engineering, tampering, copying, and automated forms of these attacks that can be launched across the network or on a desktop by relatively unsophisticated attackers.
The network is the computer
At its simplest, an application is software that runs on hardware (e.g. a computer or network device such as a router) and manipulates data.
Applications are, in fact, significantly more complicated than this, so they have been abstracted into many layers. For the purposes of this paper, an application is not just the application layer as defined in the OSI network model. For example, applications in the Java™ programming language run on the Java Virtual Machine (JVM) platform, which runs on the operating system (OS) software, which communicates with network software (such as TCP/IP), which sends data to a router, whose software redirects the data to another server, and so on.
From an Application Security perspective, every layer must be considered an application, thereby necessitating the need for security in each of the layers. This is the focus of Software Protection
as a critical element of Application Security.
The evolution of data security
Early networks, such as the postal system, relied on the manual delivery of messages to the intended recipient. Message integrity and confidentiality were ensured using sealed envelopes and, in some cases, primitive forms of cryptography. As electronic networks evolved, so did cryptography. New algorithms and protocols were developed, eventually to the point where direct attacks on encrypted messages are extremely rare.
The problem is that not everything can be encrypted, nor can data stay encrypted throughout the system. There are a multitude of services and middleware that can only receive and process requests if they can read the data. This means that there are various points in the system at which the data must be in clear text such that it can be read and processed. Attackers have a knack for finding the weakest link—in espionage it is usually the people. In today’s digital age, it is the software that processes the data.
A question of threat model
Whether a particular piece of software represents a risk, and to what degree, depends on the threat model. Who is the bad guy, what avenues of attack exist, and what tools are available to launch an attack? These are important, fundamental questions that help define the threat model to address, as shown in Figure 1 (included in full paper).
Network threat model
Practitioners of network security have traditionally viewed the hardware and operating system as trusted. This is a Network Threat Model, where the attacker is external and remote. An attack
on the application comes via network ports; thus firewalls, which filter external packets from the untrusted world, were the first and most prevalent form of perimeter defense. Downloaded
code also posed a threat, so code signing was invented to ensure the integrity of this code. Viruses and worms were other forms of attacks, so reactive defenses such as virus scanners and intrusion detection systems were implemented. However, the vulnerabilities that exist in application software that allow attacks such as viruses and worms remain a top concern.
Untrusted host threat model
Software Protection is at the other end of the threat model spectrum. In this case, the data and software must be protected against a legitimate but potentially hostile user, who has complete
control over the computing platform and hence can use a wide range of tools—such as disassemblers, debuggers, and emulators—to discover vulnerabilities and implement an attack
against the application. This is called the Untrusted Host Threat Model and is the realm of PC games copy protection and content protection techniques.
Cryptography was the basis of the first perimeter-type defenses created to protect data and software under the Untrusted Host Threat Model...
> Download our paper on Application Security for full text.