By Jim Reavis

This is my first blog entry on behalf of Securent as a member of their advisory board.  As some of you may know, application security has been a very important issue to me, and a big part of the advisory work I have been involved with has dealt with initiatives in this space.  As an advisory board member for SPI Dynamics and a moderator for many events within their Secure Software Forum, I have been an advocate for taking a lifecycle approach to software development and getting the software developers to work more closely with the information security team – and to do it earlier.  Progress is being made to secure applications, but what I have learned from my experience so far is that while we do need to do a better job of collaboration between application development and security, we also need to better evaluate the risks of our applications.  By doing threat modeling to understand your application attack surfaces and performing a risk assessment it becomes evident that we need to apply some fundamental changes to application architecture.  Here are some of the outcomes of those risk assessments I have seen:

• Insider Threats demand more granular and layered security.
• It is not always Dr Evil.  A great deal of the security breaches, inside or out, are not caused by genius hackers.  Many times, well meaning individuals are poorly trained or are dealing with broken processes.  In other instances, an individual is tempted to do the wrong thing, because the application allows authorized users to take unauthorized actions.
• Applications tend to break the security policies you want, or require complex and redundant security controls customized for every application.
• Businesses are reluctant to recode or otherwise make changes to existing applications unless absolutely necessary. 

I have been in this business too long to believe in any silver bullets to solve the security problem.  However, every once in a while, a new development comes along that clearly is an important piece of the overall solution.  In this case, the important piece is eXtensible Access Control Markup Language (XACML), which is why I am blogging for Securent.  XACML allows you to leverage all of the foundational components you already have: LDAP/Active Directory, Portals, Security Policies, etc., and build a single security model you can apply to all of your applications in a loosely coupled manner.  XACML lets LDAP and Active Directory help you enforce authentication and authorization and lets the application focus on the business requirements without hard coding the security directly into it.  It is in fact so powerful that it isn’t necessarily limited to web applications, but can be used to enforce policies within databases and other legacy applications.  My colleague Joel Scambray, who was a co-founder at Foundstone before managing security at MSN and probably understands the situation as well as anyone, called XACML the “Universal ACL Language.”  Securent has developed what they call an Entitlement Management Solution, built on standard XACML, which allows you to enforce and audit the policies you want in your applications with all the supporting controls and logging.

To me, it is not a question of if you will implement XACML, but when.  What will be the project, regulation, compatibility issue, partner mandate or other tipping point that will get your organization on the XACML bandwagon?  When you have implemented it once, the dividends you will receive by creating entitlements for follow on applications will be tremendous.  I look forward to spending more time blogging with you about the business benefits of XACML, about the evolving nature of web security and how we can create a more robust, granular and simpler security model.