By Don Canning, Microsoft

With U.S. e-commerce retail sales ballooning to over $54 billion in 2006, overall e-commerce sales including B2B extending beyond a staggering $1 trillion, and over 200 million Internet users, enterprises face a mammoth problem. How to secure the applications that are behind these Web sites? At large enterprises, the kind to which we entrust our most confidential information, Information Technology group may not even know how many applications they have, never mind how many are protected! How has it come to be that as Internet usage and sophistication have increased, we may be more vulnerable than ever to hackers? 

While the 80s was all about desktop security, the 90s saw a major thrust toward network security as hackers had a feast with the vulnerable networks. In the last two and a half decades, enterprises have spent billions of dollars in protecting their desktops and networks but very little effort has been put on securing Web applications. It’s like locking all the doors and leaving the key to the front door under a transparent mat! Web sites, by definition are open so customers and partners can transact business with the enterprises. You can’t shut down the Web sites but you can do something to secure your applications.

Market dynamics are changing dramatically. As many well known corporations have been victims of some major attacks and have been on the front page of industry publications. TJX, University of Idaho, and USDA are just a few of the many recently hacked sites. Companies are under pressure to do something about application security quickly to protect their brand reputation and to comply with a myriad of regulatory standards.

Financial services, specifically the insurance companies, are trying to open up their Web sites to encourage their customers to do more and more transactions online for both the convenience of customers and significant cost reduction. And, this openness also brings in more risk and an increased exposure to more hack attacks. The insurance sector is also on the hook for many of the regulations including Gramm-Leach-Bliley-Act (GLBA), HIPAA, California’s SB 1386 and AB 1950 laws, Payment Card Industry (PCI), Sarbox, NIST, and others.  

So, if it’s such a big problem why are so many companies not doing anything about application security? Partly, it’s an education issue. Most people are still not sure what application security exactly means. For example, many companies falsely believe that network firewalls, Intrusion Detection Systems (IDS), and even SSL can protect their applications. While all these technologies have their purpose, they do not provide a solution to secure applications. The fact is that hackers exploit the code in the applications that are providing business functionality. Organizations have to find those vulnerabilities that hackers are likely to exploit. And, fix them – ASAP.

Given that some of the insurance companies have hundreds of applications that provide interactions to the Web as well as the Intranet with extremely confidential data for both customers and employees flowing bi-directionally, the task of security applications is not easy. But, they have to start somewhere. Companies are trying various things including internal testing, outsourced penetration testing, and Web application scanning.

Cenzic has created application security solutions for the insurance industry and other financial services companies that take a holistic approach to the problem and go through a disciplined workflow including:

1. Using Cenzic Hailstorm’s discovery module, users can find all applications and locations of those applications. (If you don’t know what you have, you won’t know how to secure them.)
2. Companies can start testing with Cenzic’s simple-to-use automated solution. Just type the url, use the preexisting templates or create custom jobs and run the assessment.
3. All the results from assessments are dynamically reported on the dashboard with actionable information with remediation details and other risk management information.
4. Using Cenzic’s HARM score, the industry’s only quantitative score that helps companies prioritize their applications based on vulnerabilities found, companies can figure out which applications to focus on first.  

Cenzic also offers the solution as a SaaS called ClickToSecure, which can get companies going quickly since all the assessments are done remotely by Cenzic Security Consultants. Customers get the full results on the dashboard without any hardware or software installation.  

According to Gartner, “75 percent of Internet attacks are now happening through Web applications.” The Computer Crime and Security Survey, conducted by “Over 90 percent of companies surveyed detected security breaches with over 80 percent incurring financial loss as a result.” These types of figures show that it’s time for companies to take action.