Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Mid-Market CIO Panel: Tips and Techniques for Improving Vendor Relationships
July 15, 4:00 PM - 5:00 PM U.S./Eastern (GMT-4)
We'll highlight relationship priorities and best practices identified in a Council study, and we'll interact with a CIO panel on the approaches they've used to improve strategic vendor partnerships.
Secrets of Successful Vendor Contract Negotiations for the Mid-Market
Sept. 10, 2009, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)
On this free public Council teleconference, Matthew A. Karlyn, attorney at Foley & Lardner in Boston, will share tips on negotiating tactics and new, creative contract terms to help mid-market CIOs make better deals.
Executive Competencies Assessment Tool
Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.
Learn more about the CIO Executive Council »Apply today for a FREE subscription to CIO Magazine!
April 15, 2004 — CIO —
Back in the day, just before the launch of a dotcom I now regret being associated with, I asked our chief developer about security risks to subscriber data. "We’ve put two network cards in the Web server," he grinned. "So the database communicates with the Web server on a separate network. Anyone who hacked into our Web server wouldn’t even know the database was there."
Maybe that was good enough for 1998. But today, hackers and their attack strategies are smarter and much more ambitious. The threat of the day is the application attack, which sneaks through your firewall and into your Web applications. And yes, some of these attacks like to dine on tasty customer data.
If you’ve got a low-profile site, you probably don’t need to worry. But if a lot of people know about you, you’re at risk. It may sound paranoid, but someone could abscond with your customers’ Social Security numbers and you’d never know.
So why don’t ordinary firewalls stop these attacks? Because they’ve been designed to appear as well-formed traffic, with no unusually large packets or suspicious mismatches between address and content to sound the alarm. One of the most frightening examples is the SQL injection. Here, hackers can use one of your own HTML forms to run unauthorized queries on your database. Another threat: command execution. Whenever Web applications pass commands to a shell application, a clever hack can cause arbitrary commands to execute on the server.
Other attacks are simpler. For example, HTML comments often contain sensitive information, including log-ins left by incautious programmers. Ultimately, the lines of attack on the application layer-from altering cookies to changing hidden fields in HTML forms-are limited only by hacker imagination. But the good news is that most of these attacks can be stopped cold.
Two complementary approaches, when combined, provide a solid defense. First, use an application scanner to scour your Web apps for vulnerabilities. Then get yourself a Web application firewall to keep the bad guys from breaking and entering.
Application scanners basically launch a host of simulated attacks on your server and report on the results. KaVaDo ScanDo, Sanctum AppScan Audit and SPI Dynamics all do a pretty thorough job itemizing flaws and recommending fixes. AppScan Audit is particularly interesting, because it’s the after-the-fact member of a suite of products that help programmers catch vulnerabilities as they code. None of these packages, however, can beat a full-scale audit by security pros.