Although it was already taking measures to guard against hacker penetration of its Web applications, San Francisco-based Delta Dental Plan of California's (DDPCa, $3.3 billion in total revenue) spin-off Deltanet Inc.which provides systems maintenance and all of the carrier's information technologywasn't satisfied with the costly process. DDPCa was using a third party to perform "ethical hacks" on DDPCa's applications to identify vulnerabilities, but the testing and retesting of a single application could cost as much as $50,000. The decision to change, however, wasn't based solely on financials.
"Deltanet could never be sure that a third-party penetration tester did everything prudently and consistently," says Lance Wolrab, network security engineer, Deltanet. The group recognized it needed to lock down its Web-based applications.
In the third quarter of 2001, a Deltanet team that included the group's senior security engineers, chief information security officer and other members of IT began its search. According to David R. Furnas, Deltanet's senior enterprise security engineer, the team was seeking a tool that could provide an automated Web application vulnerability assessment component that was consistent and repeatable. Additionally, "it needed to reduce the time required to improve the security posture of Web applications during the development, testing and QA (quality assurance) phases of the life cycle," says Furnas.
Three vendor products were reviewed during the search. In the fourth quarter of 2001, Deltanet awarded a contract to Sanctum (Santa Clara, CA) for its AppScan technology. The product was chosen because AppScan successfully fulfilled all of Deltanet's criteria and exhibited the most compelling cost/benefit, says Furnas.
Deltanet's implementation of AppScan took place in June 2002. The actual installation of the software involved downloading the application onto a laptop. Access to AppScan, explains Wolrab, was set up for a single user, and credentials for access are shared by four of the software's end-users. They include Deltanet's senior security engineer, security administrator, internal auditor and Wolrab, who is AppScan's primary user.
In order to ensure implementation success, says Wolrab, training of AppScan's eventual users was essential, and Sanctum provided a three-day session. Aside from gaining familiarity with the software, the four users were taught basic application hacking techniques. "Sanctum's trainer was extremely knowledgeable," says Wolrab. After the four end-users were brought up to speed, the ability to test was launched.
Currently, Deltanet is testing code as it is written or modified. Although the frequency of the tool's use is dependent upon application development schedules, from August through December of 2002 Wolrab tested applications with AppScan about once a week. "Not all developers are taught to code applications securely," says Wolrab. "AppScan lets us see where the deficiencies are and enables us to address those issues."
Because it enables faster development of more complete Web applications, Wolrab is "extremely happy" with AppScan. He says the time that it takes to complete the penetration testing cycle has been drastically reduced. In the past, after a test was conducted, Deltanet had to wait two weeks to get its results, according to Wolrab. Six weeks would typically pass before results could be communicated to developers, changes made and retests conducted.
Through the use of AppScan, test results are delivered in an hour and issues are communicated to developers in a couple of hours. Any changes to vulnerabilities can be made within one to three business days. On day three of the process, a second test is conducted to validate the changes that have been made. AppScan reduces the time it takes to test and retest from six weeks to three days. Furthermore, Deltanet has invested the same amount of money in AppScan as it did in the past for a single test and retest.
Case Study Closeup
COMPANY: Deltanet, provider of IT solutions for Delta Dental Plans of California, San Francisco, $3.3 billion in total revenue.
LINES OF BUSINESS: Dental insurance
VENDOR/TECHNOLOGY: Sanctum's (Santa Clara, CA) AppScan.
CHALLENGE: Use a vulnerability assessment tool to detect hacks.