One re-occurring question we get is ‘What is an application?’ which on the surface of things sounds trite – after all, every one of us uses applications every day for one thing or another. Yet the initial success of a fledging application security program often depends on answering that question. When discussing software that runs a business, development and security teams know how quickly the waters get muddied.
Consider mobile applications, there is the software that runs on your device which often connects to more software and data resident somewhere on the web. So is that one application or two?
Similarly, most web applications have three basic tiers – web tier for presenting the pages, application tier for functionality and database tier to hold the data being created and updated. Each tier consists of a combination of software the enterprise developers create, commercial off-the-shelf software and software from 3rd parties such as open source or an outsourced development company. The whole website may be counted as a single application if you are running a dynamic scan, however for static analysis you may have to test the different components as separate applications.
Enterprise applications can be even more complex! They can include integration applications that enable developers to reuse existing business applications within new applications. For example, an application for deciding whether to offer a ‘good customer’ discount on your online order could use an application to connect to an application that checks your current account balance, an application to look up your past orders, and an application to check current promotions. To understand the security posture of your ‘good customer’ discount application you really should understand all of those connections as well – but by now even I have lost track of how many applications are involved in that single transaction.
This is why Veracode’s definition of an application focuses on size rather than architecture. We define an application based on a collection of software components that deliver a business function. Our definition gives our customers flexibility in what they choose to scan. For example, customers can scan businessunit1.mycompany.com as an application. They can scan a commercial off-the-shelf package prior to purchase as an application. They can also scan a collection of software that includes an off-the-shelf package, custom developed code and open source libraries as an application. The bigger the total size, the more ‘applications’ you scan.
I should also note that for us application scanning is concerned about the executable aspects of the entire package – so we don’t count some application components towards the total size. In many cases, applications contain operating system libraries, graphics and other non-executables that do not count towards the application’s size.
When companies have a good handle on their application inventory, and what that inventory contains, it can be fairly straightforward to answer the ‘what’s an application’ question. Yet many large enterprises struggle with this because their applications are complex, their development teams change frequently, business units are consolidated, and they have new acquisitions all the time. This means they often do not have a good inventory list of applications, nor a good understanding of how applications are linked.
We’ve seen programs get stymied because the enterprise tries to answer the question by having an army of software consultants wandering the halls talking to various IT and business people and digging through the infrastructure. Since Veracode isn’t interested in hosting armies of any type, we use a combination of automated discovery techniques and work with existing organizations to design a strategy to create the list and accurately size the applications they should be testing.
For example, we worked with a global enterprise with four geographically disparate business units, each with their own application infrastructures, IT organizations and code development practices. We worked with the enterprise to organize local ‘application security experts’ aligned with each geography BU and the local CISO. Veracode trained the experts to identify and size the right applications for this program (ie, important for BU’s mission, active development was occurring, etc.). It was a lot of work just to answer the ‘what are our applications?’ question, but it was worth it. Without that effort the application security program may not have been so successful. They would have scanned applications that the security team knew about instead of applications that were business critical. In addition, that work is being leveraged in many other initiatives and strategic planning activities, because now the enterprise has both a well defined list of their most critical applications.
The same is true for complex website portfolios. Enterprises typically use our discovery services to get a complete and accurate assessment of their entire website portfolio before launching into a full-fledged web application testing effort. For example, one of our customers handed us a list of over 30,000 IP addresses and domain names as a starting point for our discovery process. We ended up testing about 3,000 web applications (with DynamicMP we did it in only 8 days, but that’s a story for another time). The project was deemed doubly successful since the enterprise was able to discontinue a number of defunct web properties which were still active.
For us this is further proof that answering the ‘what is an application’ question can help you get early successes with your application security program.