For businesses involved in e-commerce, software risk management (SRM) is critical for ensuring market advantages in three key areas: time-to-market, security and protecting consumer privacy. To stay competitive, online businesses must get their products and services to the web as quickly as possible - at the speed of the Internet.

One major challenge traditionally faced by the commercial software industry is balancing the competing interests of moving a product to market quickly and providing adequate testing without jeopardizing product reliability. In a pure sense, there can never be too much product testing. However, from a business perspective, missing a release date because of a poorly implemented software test plan can risk the market viability of a product, as well as the future of the company.

Software risk management is a holistic approach to meeting market demands and the functional requirements of software, while providing requisite levels of software safety, security and reliability. While many in the software industry believe that software dependability and market-driven demands on software are mutually exclusive, SRM espouses the idea that meeting business needs simultaneously with software safety, security and reliability is a matter of making trade-offs driven by business risk. In the fast-paced e-business arena, SRM is essential for companies trying to release software and provide online services in Internet time, while simultaneously delivering extremely high levels of reliability, security and privacy demanded by consumers.

Today's Internet-based businesses face risks unlike those faced by their brick-and-mortar predecessors and counterparts. If a hacker launches a denial-of-service attack, defaces the web site, steals consumers' private information, or otherwise violates the security of an e-business, the business consequences can be catastrophic. Even SRM experts agree that perfect security does not exist. They concur, however, that e-businesses should develop models that mitigate risks, allowing for only acceptable risks in weighing time-to-market demands against security requirements.

Compared to their traditional, physical counterparts, e-businesses are susceptible to a larger variety of attacks because an Internet-based system can be attacked by anyone, from anywhere, at any time. While the costs of these attacks may be minimal for the attacker, the victimized business can face extremely high costs. For example, if someone breaks into a Barnes & Noble bookstore, it will likely affect only one of hundreds of branches. If, on the other hand, someone brings down the Barnes & Noble e-business site, the likelihood of disastrous consequences from loss of sales or brand damage skyrockets.

The Consequences of Online Sabotage

An e-business that is offline is no longer in business. Once customers learn that a web site has been sabotaged or vandalized, they might take their business elsewhere. This emphasizes the importance of building strong security and reliability into software systems to minimize such risks.

Even governments are susceptible to online security breaches. We have seen attacks against US federal agencies such as NASA, the Department of Justice and the CIA. In many of these cases, malicious hackers broke into web servers hosting these sites and defaced the web pages with their own political messages. Luckily for these agencies, such tampering did not have a high dollar cost.

Online attacks present a harsher reality in the commercial world. Consider the financial services industry. People expect investment firms to protect and grow their financial assets. Brand name and trust are critical attributes to winning customers and retaining loyalty. Attacks against a financial services firm's e-business site - whether visible (web page vandalism), subtle (altering financial transaction information), or frustrating (denial-of-service attacks) - could prove lethal to a company in this highly competitive industry. Vulnerability to these types of common digital-age attacks loudly declares the inability of a company to protect its customers' investments. It is no surprise, then, when companies such as eTrade lose significant numbers of customers, revenue and market value due to online downtime.

Protecting the personal and financial privacy of customers should be among the chief concerns of any e-business. Luckily, most banks protect consumers against credit card fraud by limiting individual liability. Commercial businesses, however, are the ones left holding the tab for credit card fraud. As a result, they can incur huge financial losses.

It is not uncommon for an online retailer to maintain long lists of credit card numbers on a site that can be easily hacked. This is where the issue of building trust with customers arises. Businesses must protect not only their systems, but also their customers' private information, such as financial and medical records. A business site that has been hacked can have its brand and reputation tarnished beyond repair. If customers can purchase the same products from other companies, why should they shop at one known for being hacked?

Know the Limits of Partnerships and Technology

In business-to-business (B2B) e-commerce, companies often form loose and dynamic partnerships. They may form partnerships with other firms for particular projects, requiring a web-based communication infrastructure to link internal computer systems for file sharing. However, these partners might compete in another arena in which providing access to certain files could create a serious competitive disadvantage. Any connection between back-office infrastructures and proprietary software systems must be carefully monitored to avoid giving hackers or motivated competitors the opportunity to access and exploit confidential information.

Businesses must understand the limitations of the technology they are using. Companies involved in B2B partnerships often use virtual private networks (VPNs) as a private conduit over a public infrastructure. A VPN provides an encrypted tunnel over the Internet and protects against unauthorized third-party intrusion on the information being transacted. While VPNs are essential for ensuring the confidentiality of data sent between two parties, they can also provide a false sense of security for business managers who do not know their limitations. Managers should understand that a VPN does not provide:

• protection against malicious software and commands that might be sent over the encrypted tunnel;
• protection against a competitive partner who might attempt to break into an internal system;
• or protection against a hacker who is trying to break into an internal system via some other channel.

E-business Security Requires More Than Cryptography

The fact that e-businesses comprise several layers - networks, operating systems, online applications and databases, makes security difficult to manage. Certain components, such as databases, are often overlooked in terms of security. As a result, they become prime targets for hackers.

Organizations spend so much time worrying about network protocols and cryptography that they often forget to secure the hosts that run the e-business. Typically, encryption protocols are not the weakest link. More often these 'secure protocols' give a false sense of security for both businesses and consumers.

In practice, most hackers ignore encrypted sessions and break into the servers that host the e-business applications via flaws in software design, implementation and configuration. For example, if hackers want to obtain credit card information, they do not need to break into a secure sockets layer (SSL)-encrypted session. They can simply bypass the 'secure' session and, through other network services, break into the server that hosts the credit card information.

At the network layer, businesses can apply encryption and authentication technologies that protect pipeline traffic. Firewalls, at the operating system layer, can close down access to non-public services. The application layer, however, has very little protection, although it is the key layer that defines and runs an e-business.

A prudent SRM approach will focus on those system components that are highly vulnerable to the most damaging attacks. Today, this is the application layer.

Key Risks of an E-business Site

Almost by definition, e-business applications are security-critical, complex pieces of software. As such, they can be one of the weakest links in the e-commerce chain.

An e-business typically consists of an n-tier client/server system that includes the user's web browser, an Internet connection, the merchant's front-end web server, back-end databases, and a middleware layer of software that implements the business application logic. Developers implement business application logic in Java, C, or C++ application servers or CGI scripts. The result is complex software, the security of which is often overlooked by businesses but targeted by hackers.

Frequently, software is developed to meet specifications for how it should work. It is equally important for developers to specify how the software should not behave. For example, if an application expects a credit card number with 16 digits, an attacker may input non-numeric digits into the fields or overload the fields with thousands of characters in an effort to adversely affect the behavior of an online application. If this maneuver is successful, an attacker might be able to leverage the unexpected behavior into a full-scale security breach.

Other software risks specific to e-businesses include buffer overflows, data interception and race conditions. Buffer overflows - programming flaws that allow the running of long strings of code input by users, can result in system crashes or unauthorized system privileges. These overflows account for nearly 50 percent of all security vulnerabilities. To reduce the risk of confidential data being easily viewed over the Internet, protocols such as SSL will encrypt all the data sent during a session between the web browser and server. However, even SSL and other encryption protocols are susceptible to system-defeating man-in-the-middle attacks.

Man-in-the-middle spoofing attacks fool users into believing the site they are visiting or conducting transactions in is authentic when, in fact, it may be controlled by a malicious entity. For example, suppose you bank online. A simple domain name service (DNS) attack can redirect your web URL request to an attacker's site, specifically created to appear identical to the authentic bank site. You enter your account number and password, then hit send. Instead of going to your bank, this important, confidential information goes directly to another site and ends up in the wrong hands. This is the Internet equivalent of using the phone to call your automated bank system. However, rather than transferring your call to the bank, the phone system routes your call to a rogue entity that captures your account and PIN code.

We trust the phone system to be secure and to prevent these problems. Unfortunately, the Internet infrastructure is not secure, and DNS attacks can literally change where you do your banking - without your knowledge.

Stay Safe with Software Risk Management

It is not possible to perfectly secure any online system. Companies must make strategic decisions about securing their e-businesses against likely threats. Through its focus on identifying software-induced business risks, software risk management is helping companies to design assurance into their products from the very beginning, and provide confidence for both businesses and consumers.

Perhaps more importantly, software risk management helps companies analyze and evaluate, on a broader scale, the assurance-related requirements, such as reliability, security and privacy. By applying sound SRM techniques, businesses can understand and plan for software risks throughout their system and bring to market timely, reliable and secure online services.

Anup Ghosh, Ph.D., is director of security research for Cigital, Inc. (www.cigital.com)

SC On-Line
SC Magazine
www.scmagazine.com