There were quite a few interesting stories to come out of the recent Black Hat security conference in Las Vegas. If all you remember hearing about were the ejected reporters and DNS cache poisoning, then you missed a lot.
Network and infrastructure security, the conference's focus, is a vitally important issue for today's businesses, and vulnerabilities associated with running virtualized environments turned out to be a huge topic. Christopher Hoff, chief security architect at Unisys, told attendees at his presentation many users run headlong into virtualization solutions without being fully aware of the security consequences.
Jeremiah Grossman, founder and chief technology officer at application security firm WhiteHat, gave a particularly enlightening session on enterprise security. He says that companies with even the most secure infrasctructure can still fall victim to business logic flaws -- simple technology issues overlooked by QA teams and discovered by inventive people looking for ways to beat the system.
Mark Tolliver, CEO of security company Palamida underlines the importance of looking past your hardware and making sure your business is secure from the ground up. "Network security is absolutely essential," he notes, "but its not enough. In 2006, Gartner Group and Symantec observed that 'close to 90% of software attacks are aimed at the application layer.' So keeping bad guys out is important, but what if they are already in?"
Tolliver says that while looking ahead to circumvent potential security risks is important, it's also a good idea for businesses to ask themselves where they're already vulnerable. "Organizations have spent years and millions of dollars securing their networks. But typically they have not done that with their applications. That leaves the whole application layer vulnerable -- both to attacks from outside, as well as from inside."
Vendors like Palamida help companies comb through the thousands of lines of code it may be using to help identify security and intellectual property issues before they become problems. Inspections of this kind can also help uncover undocumented code. "Undocumented doesn't necessarily mean vulnerable. It simply means you don't know its there. And you can't manage and secure what you don't know you have," says Tolliver.
If your business increasingly relies on Software as a Service (SaaS), in-house evaluation of your software's security is still important. Tolliver says, "In many ways it will become more critical because in the SaaS world, you are often allowing external access to key systems and data. So your internal networks and applications will need to be more secure than they are now."