A Fool's Choice: Features Or Security In Web ApplicationsA Fool's Choice: Features Or Security In Web Applications

Web applications that give customers, employees, and business partners access to services and information are difficult to secure and increasingly a soft target for hackers, who use a variety of techniques to probe for sensitive data. That's why those applications must be developed with an eye toward closing vulnerabilities that attackers can exploit.

Easier said than done. Businesses and their customers have fallen in love with the idea of gaining access to information and services using merely a Web browser. And developers understandably have focused more on new features they can offer users and less on ways to prevent applications from being misused. Guess.com learned this lesson the hard way a few years ago when attackers used SQL injections-the practice of adding punctuation characters or other symbols to SQL queries to trick the application into giving the attacker access to back-end data-to get customer credit-card numbers.

New software development kits promise to make it easier for programmers to identify potential vulnerabilities and are more effective at creating applications that better manage user authentication and data encryption. What's less clear, however, is whether these tools are effective at analyzing and suggesting improvements to highly customized Web applications. Years of writing unsecured Web applications can't be undone overnight, and the tools being introduced are just a start.

Watchfire Corp. last week introduced a version of its Web-application-testing software that identifies software vulnerabilities and offers suggestions related to fixing those problems. The company's AppScan 6.0 includes a redesigned user interface that lets users customize screens, prioritize vulnerability listings, and test the compliance of their apps against 31 government regulations. AppScan also is available in a developer edition, which can test Web apps written in the Borland JBuilder, IBM WebSphere, Microsoft Visual Studio .Net, and Eclipse environments.

Security Kits
Software development kits that help programmers weave in tighter security from the outset will be on a lot of wish lists in 2006. Encryption software maker 2factor LLC last week introduced Real Privacy Management SDK, designed to let companies develop applications that perform continuous mutual authentication of users and encryption of data.

Unlike Secure Sockets Layer encryption, 2factor's kit purports to provide the ability to authenticate and encrypt every transmission for both sender and receiver across any network, on any device. "We update the master key each time you want to communicate with the server," CEO Paul McGough says. 2factor's management kit will be available in Basic and Gateway versions beginning in February. Basic provides core authentication and API integration within applications, while Gateway provides IP socket layer and cryptographic support.

The emergence of software-development tools from 2factor and Watchfire, and competing products from Kavado Inc. and Spi Dynamics Inc., help the security situation, but more needs to be done to change the underlying application development mind-set. "There needs to be a security policy established at the front end," says Jon Gossels, president of security consulting firm SystemExperts. "You can't 'inspect in' quality at the end of the process."

The worlds of E-commerce and E-business won't stop just because apps aren't secure. "The utility or function of the application or Web site will likely trump the overall need for security," said Jeff Forristal, lead security developer for consulting firm Neohapsis, via E-mail. And as long as the market rewards flashy capabilities over security, things aren't likely to improve.