The Trinity of Trouble

There are three trends – together makes up the trinity of trouble and that is why application security is needed now than in the past.

Connectivity

The growing connectivity of our backend systems through intranet and extranet increases the probability of both the number of attack vectors and the ease with which an attack can be made. This could put your landscape and therefore business operation at greater risk. More and more computers, ranging from PCs / servers to systems that control critical infrastructure, such as your SAP mega solution, the Supervisory Control and Data Acquisition (SCADA) systems "generally refers to an industrial control system: a computer system monitoring and controlling a process" that run the power grid, are being connected to your networks and to the Internet. Furthermore, your employees, businesses are increasingly dependent on network-enabled communication such as e-mail or Web pages. Unfortunately, as these systems are connected to the Internet, they become vulnerable to software-based attacks from distant source. In the past software security problems did shut down world-wide businesses (banking services and airlines as shown by the SQL Slammer worm of January 2003).

Extensibility
The second trend negatively affecting software security is the degree to which systems have become extensible. An extensible system accepts updates or extensions, sometimes referred to as mobile code so that the functionality of the system can be evolved in an incremental fashion. For example, the plug-in architecture of web browser makes it easy to install viewer extensions for new document types as needed.

Today’s operating systems support extensibility through dynamic ally loadable device driver and models and today’s applications, such as word processors, email clients, spreadsheets, and Web browser, support extensibility through scripting, controls, components, and applets. The advent of Web Services and Service Oriented Architecture (SOA), which are built entirely from extensible systems such as J2EE and .NET, brings explicit extensibility to the frontend. From economic standpoint, extensible systems are attractive because they provide flexible interfaces that can be adapted through new components. Unfortunately, the very nature of extensible systems makes it hard to prevent software vulnerabilities from slipping in as unwanted extensions.

Complexity
A third trend impacting software security is the growth in size and complexity of our modern information systems especially software systems and therefore the number of line code. Security faults are a subset of quality faults which will tend to be a function of code complexity. Simply, more code, more bugs, more security problems.

Bayan Alhaddad,
June 19, 2004