When users of link sharing and discussion website MetaFilter detected malicious code transforming benign webpages
into a drive-by attack platform, Matthew Haughey raced to fix the security flaw.
Haughey, a programmer and Web designer who started the site in 1999, soon figured out the problem: a standard SQL injection attack targeting a poorly coded Web application that he built when the website first went live. It was his first Web application and Haughey admits that it failed to filter out variables from the URL.
"Someone discovered it, exploited it, and wreaked havoc," says Haughey, recalling the incident, which took down parts of the website last year. "It took us about two days to plug up the holes on every page and make sure every read of every URL was safe."
Security experts say problems such as this are happening on websites all over the Internet at an alarming rate. Web application vulnerability flaws account for more than 80 percent of the vulnerabilities discovered, according to the SANS Institute. In many cases, attackers exploit a Web application vulnerability to set up an attack that targets coding errors in client-side applications. Even websites flush with cash and an army of programmers can fall victim if one of its pages contain a poorly coded Web application, if user generated content isn't closely monitored or if a user falls prey to account hijacking.
"In the network world when you have an OS vulnerability, you can apply a patch and it's fixed. But what we have now are individual applications coded by different teams with different security knowledge, and there's no one fix," says Michael Coates, a security engineer and volunteer with OWASP, the Open Web Application Security Project. "You can't apply the OS patch to the application so we have to find ways to build them better."
Roger Thornton, founder and chief technology officer of San Mateo, Calif.-based Fortify Software, says it's impossible to get rid of all attacks and it's problematic to rely on signature-based antivirus because attackers modify the malware they use, so the logical answer is to focus on improving the software development lifecycle to get programmers to develop cleaner code.
"We need to build code resilient to attack and that means first we remove the vulnerabilities that are being attacked and second, we can work on creating self defending code," Thornton said. "All the tools are in place for people to start eradicating these things."
One of the latest tools doesn't remove software vulnerabilities, but instead gives them an extra layer of security that could help fend off attackers. The new framework, developed by Coates, helps developers inject code into applications, giving them self-defense mechanisms. The project, called AppSensor, is a methodology that Coates says could help add detection capabilities into applications and fend off Web application attacks before a cybercriminal can successfully penetrate a network. AppSensor is meant to be used early on in the software development lifecycle, but Coates says applications already deployed can be retrofitted fairly easily.
Jake Brill, a project manager on Facebook's site integrity team, says the social networking site has proprietary systems in place to closely monitor third-party Web applications for suspicious activity. If an issue is flagged, either by the monitoring systems or complaints from users, the site team can pull it offline and check it for deficiencies, Brill says. Facebook officials say a bigger problem is the security of their users' computers. The Palo Alto, Calif.-based company recently announced a partnership with Santa Clara, Calif.-based McAfee to offer security software to users at a discount.
If more sites such as Facebook underwent vulnerability scanning and penetration tests, fewer people would end up victims, says Ryan Barnett, director of application security research at Carlsbad, Calif.-based Breach Security.
"You're never going to get to a point where you have zero vulnerabilities," Barnett says. "But I think we can do a heck of a lot better."