Industry Perspective

A conversation with Samir Kapuria

SOFTWARE is quickly becoming an integral part of the security industry. Just in case you haven't heard it before, there is a convergence taking place between IT security and the physical security. Symantec Global Security Consulting experts have been in the business for decades.Call it software as a service, but what it truly means is that there is a new model for delivering security.

We took the opportunity to sit down with Samir Kapuria, principal security strategist with Symantec Global Security Consulting, to ask a few questions of how software as a service differs from traditional software.

Q. How does software as a service differ from traditional software?

A. Software as a service, sometimes referred to as SaaS, is a new model for delivering software. The traditional licensed software delivery model has required users to purchase an application and either install or download it onto their system. In contrast, the SaaS model eliminates these requirements; the application is hosted on the server of a third party and users access it on an as-needed basis over the Internet, paying on a per-usage basis. Each model has its benefits and drawbacks, and each will likely continue to persist into the future.

Q. What benefits might a user expect from using SaaS offerings?

A. Using a SaaS offering obviates the need for a user to have the technology infrastructure in place to support an application. SaaS eliminates the space and memory requirements associated with software that uses the traditional licensed software delivery model. In many cases, using a SaaS offering also can dramatically reduce the expense of buying and using a new application. With SaaS, customers pay only for what they use.

Q. Are there security concerns associated with SaaS?

A. The SaaS model introduces security concerns for SaaS providers, as well as for enterprises and consumers who use a SaaS offering.

The SaaS model provides a more direct path to the expansive pools of information customers save on the provider's site. These information stores are an attractive target for hackers because they enable an attacker to get to large amounts of sensitive information in one centralized location with less effort than if the information were stored on customers? own individual hard drives.

What's more, because SaaS offerings rely on a Web browser to access the application over the Internet, a SaaS offering is susceptible to hackers who exploit Web browser vulnerabilities in order to propagate spyware or adware, or to circumvent perimeter security devices and reach sensitive data.

Vulnerabilities in Web-based applications, such as SaaS offerings, also represent a security concern. Advances in Web-based application development provide a rich set of capabilities, allowing more people to develop such programs in a shorter period of time. But, application developers may not be adequately trained to incorporate security into the programs they develop. Cross-site scripting attacks may exploit these vulnerabilities, thereby enabling hackers to hijack user accounts and access confidential information. Inadequate security checks in Web-based applications also may make associated databases susceptible to unauthorized access.

Q. Are certain types of SaaS offerings more vulnerable than others?

A. No, although some SaaS applications are more attractive targets than others. Information-rich applications are likely at the greatest risk. These include applications such as accounting, hosted messaging, and enterprise resource planning, human resources and customer relationship management.

Q. Does current Internet threat activity indicate that SaaS offerings might be at risk?

A. Yes, according to the latest Symantec Internet Security Threat Report, which provides a six-month update of Internet threat activity. The most recent report covers the six-month period from July 1 to Dec. 31, 2005.

The report confirmed that hackers are currently motivated more by profit than by notoriety, as evidenced in part by the large percentage of malicious code samples that threatened confidential information. Attackers often attempt to perpetrate criminal acts such as identity theft, extortion and fraud for financial gain. As mentioned before, the large volumes of sensitive customer data that SaaS providers store represent a potentially lucrative target of attack.

There also are more software vulnerabilities than ever before. During 2005, a total of 3,767 vulnerabilities were documented, compared to 2,691 in 2004. The growth in the number of vulnerabilities over the past year has been driven primarily by an increase in the discovery and disclosure of vulnerabilities in Web applications.

Sixty-nine percent of the vulnerabilities documented by Symantec in the second half of 2005 affected Web applications. This increase reflects the shift toward the Internet as a platform for applications. Many applications that were once standalone software suites or client-server solutions are now being implemented as Web applications. This has opened the door to new classes of attacks against these new implementations.

Vulnerabilities in Web browsers also have become more prominent. Between July and December 2005, Symantec documented 24 new vendor-confirmed and non-vendor-confirmed vulnerabilities that affected at least one version of Microsoft Internet Explorer. the average Internet Explorer vulnerability also was rated highly severe. During the same period, Symantec documented 17 new vendor-confirmed and non-vendor-confirmed vulnerabilities affecting the Mozilla Firefox browser; the average Firefox vulnerability also was rated highly severe. A high-severity vulnerability is defined as a vulnerability that, if exploited successfully, could result in a compromise of an entire system. In almost all cases, successful exploitation can result in a complete loss of confidentiality, integrity and availability of data stored on or transmitted across the system.

Q. Does perimeter protection make SaaS more secure?

A. Protecting the network perimeter through firewalls, intrusion detection systems and monitoring systems is effective in a traditional IT network environment. But applications that rely on the Internet deliberately allow all Internet users to access the application, making firewalls and other perimeter protection tactics ineffective.

Q. How can SaaS providers, enterprises and consumers make SaaS activity more secure?

A. SaaS providers must ensure that security is an integral part of the entire application development lifecycle. Enterprises must audit their systems to ensure that no vulnerable Web applications are being hosted in their SaaS environment and keep patch levels of applicable software up to date. They also must enforce strong identification, authentication, authorization, accountability and privacy controls. Enterprises that host their own SaaS offering also can leverage virtual private networks, encryption, network security tools and other mechanisms to address security concerns.

Even though the security of consumers' information in a SaaS model is dependent upon the SaaS provider rather than the customer, consumers can help protect their SaaS activity by keeping their Web browser software and their operating systems up to date with the latest patches.

Featured

  • Secure Your Home During the Holidays

    The most wonderful time of the year can easily transform into a nightmare. Being vigilant, while still enjoying the holiday season, is possible. The holiday season is the perfect time to start implementing security measures to protect one’s home and ensure security while out and about. Read Now

  • Five Cybersecurity Trends Predictions for 2024

    According to Cybersixgill, threat research experts, AI’s evolution will continually improve both organizations’ cyber defense efforts and cybercriminal activities. At the same time, increasingly complex regulatory requirements, continued consolidation of cybersecurity tools, a widening attack surface, and heightened global geopolitical issues will all play a significant role in driving the direction of cybersecurity. Read Now

  • AI on the Edge

    Discussions about the merits (or misgivings) around AI (artificial intelligence) are everywhere. In fact, you’d be hard-pressed to find an article or product literature without mention of it in our industry. If you’re not using AI by now in some capacity, congratulations may be in order since most people are using it in some form daily even without realizing it. Read Now

  • NSA Report Focuses on How to Protect Against Evolving Phishing Attacks

    The National Security Agency (NSA) and U.S. partners have released a new report describing the latest techniques in phishing attacks and the defenses organizations can deploy against them. Read Now

Featured Cybersecurity

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance. 3