Application security for nonprofits

(09/11/2009)

The threat for smaller companies and nonprofits has increased dramatically. In August of 2009, a Washington Post article noted, “Because the targets tend to be smaller, the attacks have attracted little of the notoriety that has followed larger-scale breaches at big retailers and government agencies.”

San Francisco-based TechSoup Global is a 501(c)(3) nonprofit organization that provides technology information to individuals and organizations in more than 190 countries, has provided consulting services in more than 50 countries and, through its global network of capacity building NGOs, manages product donations to more than 101,000 organizations in 31 countries. The product donations program has enabled organizations to save over $1.4 billion in expenses as of June 2009. TechSoup Global processes donations, often through credit cards. Total donations amount place TechSoup Global into a Tier 4 merchant in within the PCI taxonomy.

While TechSoup Global’s IT infrastructure resembles most for-profit organizations, its resource available to support and maintain look significantly skinnier. Technically, TechSoup Global builds and maintains custom-made applications to process donations as well as pre-packed software for CRM and ERP. An internal development team builds applications while an IT operations team manages the deployment of custom and packaged software.

One person manages security, Richard Collins, who is in charge of security including strategy and product selection. However, Mr. Collins is supported by an IT team that manages many of the operational components of security including firewalls and anti-virus.

Like many in security, Mr. Collins recognized that TechSoup Global’s security strategy over-emphasized traditional approaches - perimeter and desktop protection. Applications, and the data they transacted, needed deeper attention. But for nonprofits, by nature, it is more difficult to muster resources when required.

In early 2009, TechSoup Global experienced an attempted - but unsuccessful - breach. A SQL Injection, the most common method to pull data out of databases, was deployed by a hacker on the transaction processing application. Although the attack didn’t succeed, the aftermath proved time consuming. For two days, TechSoup Global had to take its applications offline to pinpoint the problem and forensically determine what damage may have occurred.

The attack accelerated Mr. Collins’ hopes for a bolstered application security strategy. The strategy would include:
• Pen testing to find holes in the applications.
• Web application firewalls for ongoing, operational visibility and blocking. And it had the added benefit of helping with PCI compliance.

The pen tests revealed where holes in applications existed. These issues were sent to development for remediation.

At the same time, TechSoup Global evaluated WAF vendors, selecting Imperva’s SecureSphere. Mr. Collins evaluated numerous vendors, but purchased Imperva because:
• The power of the interface made management simple with little overhead.
• The learning capability was fast and very accurate
• The strong architectural fit that allowed for a nonintrusive, easy deployment.
• The ability to easily and discreetly manage TechSoup Global’s environment with almost no footprint. After installation, maintenance has been negligible.
But the clincher: having the database capability. The pricing and the database modules fit with TechSoup Global’s requirements for data security.

Post deployment, Securesphere has given Mr. Collins a degree of comfort by having a web application filter that proactively blocks attacks and sends alerts. But there have been other important benefits as well. Today, Imperva is an essential component of Mr. Collins’ security strategy for several reasons:

1. SecureSphere gives security operationally visibility. Mr. Collins can see what is happening from how applications are used holistically and how attacks occur. This visibility helps drive security strategy by using the data to determine security requirements and working with the management team to choose and budget additional solutions. Further, development can help prioritize what security features need to be incorporated or what code needs remediation. The data coming from SecureSphere is sent to an internal help desk to help manage and coordinated any work, and workflow to not overload the developers. Moving forward, this ongoing process will be critical for TechSoup Global’s continuous process improvement as they set up offshore operational support processes.

2. Set security policies. With visibility, its easier for Mr. Collins to make the case for security policies in development and operations.

3. Provides security and compliance. WAFs keeps the PCI auditors away.

4. Facilitates forensics. In the case of a security event, Mr. Collins relies on SecureSphere to sniff out the hacker’s trail in precise detail—ultimately guiding infrastructure changes at TechSoup Global to prevent repeat attacks.
From a resource standpoint, Imperva took approximately two technicians a total of four weeks to install and configure. Ongoing maintenance has been minimal.

Mr. Collins plans to deploy WAFs as a part of a secure development process. Specifically, he plans to:
• Use SecureSphere data to drive application security requirements. Today, development struggles with implementing security—but Imperva focuses developer involvement because making the case for action is very clear.
• Link virtual patches to a help desk ticketing system to put patches in place formally.
• Leverage the integration of WAF with pen testing to patch, instantly, issues uncovered by the black box test.

Related topics:  Application and software security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources