How can I show or illustrate to our management the potential seriousness of Web application attacks? Obviously...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
I can’t attack my own applications, but are there resources that depict the step-by-step events that take place once an attacker exploits an application and what types of data can be stolen?
Currently the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities being discovered in operating systems. These vulnerabilities lead to attacks, such as server-side and client-side HTTP attacks, cross-site scripting and SQL injection attacks. A good resource to help you illustrate to management the potential danger of such attacks would be the SANS Institue’s Top Cyber Security Risks, which includes plenty of graphs clearly showing the scale of the problem.
If you feel management would appreciate a technical explanation of how common Web application attacks work, you can refer to SANS HTTP Client-Side Exploitation example, which offers a real step-by-step attack conducted against an organization that resulted in the loss of critical data for the organization. Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) User Guide also contains some illustrated examples of various attacks, and how EMET can prevent them. The Open Web Application Security Project (OWASP) website is another good resource for detailed descriptions of how various attacks work, such as buffer overflows.
Further statistics or reports of real Web applications attacks can be found on the FBI’s cybercrime website, which provides plenty of up-to-date reports on the activities of cybercriminals that you can use to highlight the need to secure your own Internet-facing applications. An important point to get across is that many attacks are coming from sophisticated and well-organized criminal gangs working on a global scale. Take the case of one criminal enterprise that used hackers to break through an encrypted system and steal account numbers and PIN codes. They then produced more than 400 fake ATM cards, recruited hundreds of mules spread out in 280 cities around the world and in less than 24 hours made over 14,000 ATM transactions totaling nearly $10 million.
For a more dramatic demonstration of the need for strong perimeter defenses and secure application development, create a Web application security test attack on your own application. The safest method would be to run the application in a virtual test lab and use a tool, such as Metasploit to attack it. If you discover a vulnerability, then a proof-of-concept payload could be used to show how an attacker could set up a reverse shell or other backdoor into the application and system on which it runs. Using Metasploit to attack a live application requires careful planning, but under controlled conditions would allow you to demonstrate how a vulnerability in your own application could be exploited. Please remember that any sort of penetration test or Web application test attack should always be authorized by key executives, managers or other stakeholders in order to reduce any effect on standard business operations.
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.