If organizations want to protect their data and avoid embarrassing data intrusions, they need to shift their focus from the network to software security, especially source code and web-based applications. Last night, users and security experts issued such a warning at a cyber-crime symposium here.
"We need to start using different tools to fight the enemy," said Ted Schlein, a partner at venture capital company Kleiner Perkins Caufield &byers, in a panel discussion, warning that "your network administrator may not be able to solve this problem , you need to have engineers join in-this whole way to protect your back-end storage.
In the past few years, most companies have wasted resources on border security, and hackers are increasingly eyeing vulnerabilities in web-based applications that hackers use as a way to steal sensitive data from databases and back-end storage systems, according to the venture capital company.
"Data loss costs the country 180 billion to 200 billion dollars a year," he says border security, such as firewalls, can easily be bypassed by cyber criminals, "it's asymmetrical rules and architecture--corporate IT can't keep up with the threat because data security is in the hands of network operators."
The new york-based Securities Depository Clearing Company (DTCC), which provides clearing and settlement services for the financial sector, is also taking steps to address the challenge.
"We have a ' super developer ' team on security," explains James Routh, the company's chief information security officer. "We provide a lot of support for this team." "
Typical techniques used by hackers in software crime include Cross-site scripting and SQL injection, which allow these criminals access to other people's login information through software-source vulnerabilities.
Brian Holyfield, a network security expert at Gotham Digital Science, is testing the enterprise IT architecture for vulnerabilities, and he agrees that web-based applications do have fatal weaknesses.
"This is a major threat," he said, "when we tested our customers for penetration, 80% of the time we went through these apps, so you have to think that real hackers are taking advantage of the 80% probability." "
DTCC solves this problem by running about 9 different test products on its software source code. These products include the appdetective of application security (for checking database vulnerabilities), and a tool from Whitehat (for scanning web applications).
"We started this work three years ago because trends in data threats show that applications are more commonly attacked than network boundaries," Routh explains, "for packaged software, we ask vendors to provide static code analysis, dynamic code Analysis, and manual code analysis." "
"Dynamic Code" refers to the code of the software that has been completed and is running, while "static code" refers to the code of the software that is still in the beta phase. Routh says DTCC also uses a service called Veracode to scan large amounts of code and uncover vulnerabilities.
Schlein, the manager of Kleiner Perkins, who has invested in fortify software, says the responsibility for software security needs to be shared by both manufacturers and users. "Most of the software in the world is not from software vendors, but from Fortune 1000 companies," he said.
While the U.S. federal government uses the safety standards of public standards, schlein that Washington needs to set a better example of the source code. "I think a bill is needed to order the federal government not to buy software from third parties or to develop software that has not been safely reviewed," he explains.