Industry Perspective

A conversation with Samir Kapuria

SOFTWARE is quickly becoming an integral part of the security industry. Just in case you haven't heard it before, there is a convergence taking place between IT security and the physical security. Symantec Global Security Consulting experts have been in the business for decades.Call it software as a service, but what it truly means is that there is a new model for delivering security.

We took the opportunity to sit down with Samir Kapuria, principal security strategist with Symantec Global Security Consulting, to ask a few questions of how software as a service differs from traditional software.

Q. How does software as a service differ from traditional software?

A. Software as a service, sometimes referred to as SaaS, is a new model for delivering software. The traditional licensed software delivery model has required users to purchase an application and either install or download it onto their system. In contrast, the SaaS model eliminates these requirements; the application is hosted on the server of a third party and users access it on an as-needed basis over the Internet, paying on a per-usage basis. Each model has its benefits and drawbacks, and each will likely continue to persist into the future.

Q. What benefits might a user expect from using SaaS offerings?

A. Using a SaaS offering obviates the need for a user to have the technology infrastructure in place to support an application. SaaS eliminates the space and memory requirements associated with software that uses the traditional licensed software delivery model. In many cases, using a SaaS offering also can dramatically reduce the expense of buying and using a new application. With SaaS, customers pay only for what they use.

Q. Are there security concerns associated with SaaS?

A. The SaaS model introduces security concerns for SaaS providers, as well as for enterprises and consumers who use a SaaS offering.

The SaaS model provides a more direct path to the expansive pools of information customers save on the provider's site. These information stores are an attractive target for hackers because they enable an attacker to get to large amounts of sensitive information in one centralized location with less effort than if the information were stored on customers? own individual hard drives.

What's more, because SaaS offerings rely on a Web browser to access the application over the Internet, a SaaS offering is susceptible to hackers who exploit Web browser vulnerabilities in order to propagate spyware or adware, or to circumvent perimeter security devices and reach sensitive data.

Vulnerabilities in Web-based applications, such as SaaS offerings, also represent a security concern. Advances in Web-based application development provide a rich set of capabilities, allowing more people to develop such programs in a shorter period of time. But, application developers may not be adequately trained to incorporate security into the programs they develop. Cross-site scripting attacks may exploit these vulnerabilities, thereby enabling hackers to hijack user accounts and access confidential information. Inadequate security checks in Web-based applications also may make associated databases susceptible to unauthorized access.

Q. Are certain types of SaaS offerings more vulnerable than others?

A. No, although some SaaS applications are more attractive targets than others. Information-rich applications are likely at the greatest risk. These include applications such as accounting, hosted messaging, and enterprise resource planning, human resources and customer relationship management.

Q. Does current Internet threat activity indicate that SaaS offerings might be at risk?

A. Yes, according to the latest Symantec Internet Security Threat Report, which provides a six-month update of Internet threat activity. The most recent report covers the six-month period from July 1 to Dec. 31, 2005.

The report confirmed that hackers are currently motivated more by profit than by notoriety, as evidenced in part by the large percentage of malicious code samples that threatened confidential information. Attackers often attempt to perpetrate criminal acts such as identity theft, extortion and fraud for financial gain. As mentioned before, the large volumes of sensitive customer data that SaaS providers store represent a potentially lucrative target of attack.

There also are more software vulnerabilities than ever before. During 2005, a total of 3,767 vulnerabilities were documented, compared to 2,691 in 2004. The growth in the number of vulnerabilities over the past year has been driven primarily by an increase in the discovery and disclosure of vulnerabilities in Web applications.

Sixty-nine percent of the vulnerabilities documented by Symantec in the second half of 2005 affected Web applications. This increase reflects the shift toward the Internet as a platform for applications. Many applications that were once standalone software suites or client-server solutions are now being implemented as Web applications. This has opened the door to new classes of attacks against these new implementations.

Vulnerabilities in Web browsers also have become more prominent. Between July and December 2005, Symantec documented 24 new vendor-confirmed and non-vendor-confirmed vulnerabilities that affected at least one version of Microsoft Internet Explorer. the average Internet Explorer vulnerability also was rated highly severe. During the same period, Symantec documented 17 new vendor-confirmed and non-vendor-confirmed vulnerabilities affecting the Mozilla Firefox browser; the average Firefox vulnerability also was rated highly severe. A high-severity vulnerability is defined as a vulnerability that, if exploited successfully, could result in a compromise of an entire system. In almost all cases, successful exploitation can result in a complete loss of confidentiality, integrity and availability of data stored on or transmitted across the system.

Q. Does perimeter protection make SaaS more secure?

A. Protecting the network perimeter through firewalls, intrusion detection systems and monitoring systems is effective in a traditional IT network environment. But applications that rely on the Internet deliberately allow all Internet users to access the application, making firewalls and other perimeter protection tactics ineffective.

Q. How can SaaS providers, enterprises and consumers make SaaS activity more secure?

A. SaaS providers must ensure that security is an integral part of the entire application development lifecycle. Enterprises must audit their systems to ensure that no vulnerable Web applications are being hosted in their SaaS environment and keep patch levels of applicable software up to date. They also must enforce strong identification, authentication, authorization, accountability and privacy controls. Enterprises that host their own SaaS offering also can leverage virtual private networks, encryption, network security tools and other mechanisms to address security concerns.

Even though the security of consumers' information in a SaaS model is dependent upon the SaaS provider rather than the customer, consumers can help protect their SaaS activity by keeping their Web browser software and their operating systems up to date with the latest patches.

Featured

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

  • 2025 Security LeadHER Conference Program Announced

    ASIS International and the Security Industry Association (SIA) – the leading membership associations for the security industry – have announced details for the 2025 Security LeadHER conference, a special event dedicated to advancing, connecting and empowering women in the security profession. The third annual Security LeadHER conference will be held Monday, June 9 – Tuesday, June 10, 2025, at the Detroit Marriott Renaissance Center in Detroit, Michigan. This carefully crafted program represents a comprehensive professional development opportunity for women in security this year. To view the full lineup at this year’s event, please visit securityleadher.org. Read Now

    • Industry Events
  • Report: 82 Percent of Phishing Emails Used AI

    KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today launched its Phishing Threat Trend Report, detailing key trends, new data, and threat intelligence insights surrounding phishing threats targeting organizations at the start of 2025. Read Now

  • NRF Supports Federal Bill to Thwart Retail Crime

    The National Retail Federation recently announced its support for the Combating Organized Retail Crime Act of 2025. The act was introduced by Chairman Chuck Grassley, R-Iowa, Senator Catherine Cortez Masto, D-Nev., and Representative Dave Joyce, R-Ohio. Read Now

  • ISC West 2025 Brings Almost 29,000 Industry Professionals to Las Vegas

    ISC West 2025, organized by RX and in collaboration with the Security Industry Association, concluded at the Venetian Expo in Las Vegas last week. The nation’s leading comprehensive and converged security event attracted nearly 29,000 industry professionals and left a lasting impression on the global security community. Over five action-packed days, ISC West welcomed more than 19,000 attendees and featured 750 exhibiting brands. Read Now

    • Industry Events
    • ISC West

New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.

  • Hanwha QNO-7012R

    Hanwha QNO-7012R

    The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities