COLUMBIA, S.C. – As internal systems become more open and Web services move increasingly more terabytes of sensitive data back and forth through cyberspace, application security is a term credit union managers are hearing bandied about more and more. But what is it? Definitions vary a bit, but Niels Taylor, director for CUDefense products at PM Systems Corp. (www.pmsyscorp.com) in Chapin, S.C., summarizes it this way: "It means making sure that the applications in use at the credit union and the data they create is secure from unauthorized access." Meanwhile, Ed Francis, president of security auditing and compliance provider CastleGarde (www.castlegarde.com) in Tampa, Fla., puts it this way: "Application security is part of the process of overall security in a property configured, information-security focused network. It looks at the internal operations of the credit union and what program workers are using, while firewalls and IDS (intrusion detection systems) and so on are protecting the network from the perimeter, looking at files and information before they enter the organization." And to Jeff Williams, CEO of application security specialists Aspect Security (www.aspectsecurity.com) in Columbia, Md., it's a matter of code, and it matters a lot. "Application security – preventing vulnerabilities in custom applications code – is rapidly becoming the most critical security issue for many organizations," including behemoths like Microsoft, VISA and Oracle, he says in a recent white paper. "These vulnerabilities are stunningly prevalent," Williams says. "Best estimates show that on average there are more than two major security flaws in every 10,000 lines of code and that 97% of Web applications are susceptible to cross-site scripting attacks. "As networks become more secure, attackers are now focusing 80% of their attacks at applications." Those applications can include core operations at a credit union. "Any publicly available service represents a potential way into the credit union's internal systems," says Taylor at PM Systems, which provides IT security and Internet banking services to more than 150 credit unions. "For instance, if the code that creates the home banking log-on allows for a buffer overrun or for SQL injection into the log-in database, an attacker could use this vector to gain access to the credit union's home banking system," Taylor says. "Another often overlooked issue that I think falls into this category is e-mail via the credit union's Web site," he says. Warning members not to send sensitive information through simple e-mail links is one thing, he says, but better yet, consider using an SSL-encrypted form (the same technology used to secure online credit card transactions, for instance) on the site for e-mail between members and the credit union. Taylor also notes that his firm has seen several applications in use at credit unions that load a SQL database with a default administrator name and no password. "As long as this system is only available internally this doesn't present as a big a threat as a poorly coded Web application, but still is a potential internal issue and also is indicative of many software vendors' lack of security awareness," Taylor says. Williams at Aspect Security says circumstances may force that to change. "Over the next three to five years, software producers and organizations offering services over the Internet will be forced to demonstrate to their customers why their software should be trusted," he says. When those customers are credit unions, they also have regulators to report to, of course, and it's up to the individual credit union to make sure its vendors are playing by the rules. "Per the NCUA ISTEP, credit unions must make sure that they request testing documentation from these providers," says Taylor at PM Systems. "This documentation should provide general information regarding code review and testing procedures, along with any third-party application security review that's conducted," he says. "For those credit unions developing their own code in-house, they will be asked by auditors to demonstrate the testing and release procedures and may be required to have third-party security review of their applications code," Taylor says. That means credit unions have to be able to prove that they're able to deal with the new threats that pop up continuously, including worms, viruses, denial of service attacks and hack attempts. "Breaches happen every day. Microsoft, for example, has posted hundreds of security patches that every user must install to fix new breaches in applications and operating systems," says Francis at CastleGarde, whose company also serves more than 150 credit unions. "And with the advent of Web services, application security has reached a new pinnacle in sophistication," he says. "The applications that are running on the Web are more robust and by nature have to be more open in order for them to work." And, internally, "the entire network is many applications working with each other. Therefore, the entire network must be addressed," Francis says. "This is a much tougher job than many years ago when all we had to do was look out for an MS Word macro." -

[email protected]