Feds Focus on Web App Security

The Census Bureau has moved many of its applications to the web. And like most agencies, Census experiences the growing pains and security concerns that go along with that evolution.

“With web-based apps, we have become more concerned about how we are coding the applications, because that seems to be a target for attackers,” says Timothy Ruland, the agency’s chief information security officer. “We’re also concerned about mobile devices accessing the web-based applications.”

The National Nuclear Security Administration (NNSA), with its focus on research, development and security, also builds and hosts many web-based applications. In fact, Travis Howerton, the agency’s chief technology officer, was first hired at the agency in 2002 as a web application developer, making NNSA one of the most aggressive in adopting the web application model.

Howerton, along with Anil Karmel, NNSA’s management and operations chief technology officer, are understandably concerned about web application security.

“Being that we are primarily research-based, we tend to take a cutting-edge approach to security in our enterprise, given the mission of our agency. It is imperative that we employ the correct tools and approaches to ensure that our apps are secure,” Karmel says.

Top Priority

Jeff Wilson, principal analyst with Infonetics Research, says there are many reasons why agencies should make securing web applications a top priority. Mobile versions of web apps are yet another stream of code that must be maintained, managed and checked for vulnerabilities.

“Custom code, or simply poor coding that leaves vulnerabilities in the code during development, can cause real security problems,” Wilson says.

“If you have the right tools and can get at the code to fix the problems, you’ll be in pretty good shape. But if you don’t have access to the code because the application was outsourced or built on a platform where you are at the mercy of the platform developer, it’s more difficult to find and fix vulnerabilities,” he adds.

At Census, web application security is multifaceted. The first step includes educating programmers about potential threats and ways to review code. One tool the programmers use to help with that task is HP’s WebInspect, a web application security assessment program.

As CISO, Ruland has also led the development of security configuration baselines at Census for mobile devices that can be used for agency business. To help control those devices, Census has implemented a mobile device management system from Sybase Afaria.

But some of the most important strategies don’t involve technology at all.

“The most important things are education and collaboration,” says Stephen Moore, chief of the Application Services Division at Census. “In the past year, my staff and Tim’s staff have begun to collaborate and communicate more, and we’re getting the other areas involved as well.”

NNSA’s Howerton agrees that web application security processes are every bit as important as the technology.

“We make sure that all development uses managed frameworks, separates duties in the code base, separates the presentation tier from the data tier, and uses parameter-based queries to prevent SQL injection–type attacks on the front end,” he explains.

NNSA also employs the latest web application security technology. In addition to using load balancers for packet inspection, NNSA uses a combination of penetration testing tools to both internally and externally validate the applications for production. The agency also employs web application firewalls, products that Howerton says are getting smarter all the time.

“We’re starting to see tools that will go through your source code or your compiled executable code and figure out how to exploit it dynamically, and then create automatic application firewall rules that then feed their product to protect your specific application from the specific vulnerabilities they face,” he says.