An effective application security approach would rely on many technologies. First, organisations need to conduct a vulnerability assessment scan or penetration test every half a year to find vulnerabilities. Penetration or pen testing is fast, easy and relatively inexpensive. Second, code scanning products can be used to find issues as well. However, code scanning is much less feasible for non-profits since development work is often outsourced and it takes months to fix even the most urgent, high-priority vulnerability in code. Finally, non-profits should install a Web application firewall.
TechSoup Global purchased a Web application firewall (WAF) following the attack to complement pen testing. While the pen test finds vulnerabilities, the WAF blocks attacks in production and sends alerts to notify the security staff. But another WAF benefit became apparent: visibility. TechSoup Global gained unparalleled visibility into application usage and attack patterns.
Lesson 2: Knowing where your data lies and who accesses it
External attacks are just one component in the security equation. Insider threats can be a big pain as well, not to mention negligence on the part of the employees or volunteers. This means that non-profits, like their for-profit peers, need to have a strong grip over sensitive data.
Ironically, many organisations do not know where all their sensitive information liesor even how much they have. This is because databases might be replicated for testing, still containing sensitive data. Also, rogue or undocumented databases are not uncommon. Plus, service-oriented architecture (SOA) integrations can be vast and complex, posing difficulties for finding and protecting data.
Because charities rely a lot on volunteers or part-time consultants, they need to be totally aware of where all their data resides. They also need to know who is accessing what data and how. Although databases come with audit logs, they are not turned on most of the time in order not to slow down performance. Even if they are, these logs can be altered by a privileged user.
To counter these threats, charities should look at investing in a database activity monitoring solution that provides an independent audit trail in addition to offering complete visibility.
Making the paradigm shift
Non-profits must acknowledge the major paradigm shift from network to data security. Consequently, they must leverage on the correct tools to protect themselves. As Collins noted: Putting in place application and database security has absolutely changed the way we manage data. First of all, we are much more comfortable. Our managers have a much higher comfort level because they know there is some protection at the application layer, and the visibility into what is going on.
Stree Naidu is Vice President, Asia Pacific and Japan for Imperva. He has over 15 years of experience in the areas of Security and Business Intelligence within the IT industry.
Sign up for Computerworld eNewsletters.