After more than a decade of organizations focusing on locking down network perimeters, endpoint devices and email, Web applications have surfaced as the new attack flashpoint. Last year was a bad year for Web application security--whether it was overseas hackers reportedly accessing credit card information from thousands of transactions on the state of Rhode Island's Web site, or universities inadvertently spilling sensitive student information, including Social Security numbers, onto the Internet.
Experts warn that Web application attacks are going to escalate before security catches up. Johannes Ullrich, SANS Institute chief research officer, predicts 2007 will be peppered with major Web application-related security incidents where criminals overtake trusted Web sites to steal financial or other sensitive information.
The threats are changing. Chatty spyware and rapidly spreading worms have given way to more clandestine exploits designed to silently pilfer information from Web applications, or change prices on e-commerce sites. Then there's malware that silently infects Web servers and site visitors.
"The attackers have learned that highly aggressive scanning and propagation techniques don't yield more exploited hosts in the end," said Ullrich. "They'd rather infect a popular Web server with browser exploits and then quietly infect visitors to the site."
What are organizations doing about it? Not enough, said Caleb Sima, founder and chief technology officer at Web application vulnerability scanner provider SPI Dynamics. "It's a bigger problem than many enterprises assume," he said. "Despite years of Web applications being targeted, enterprises and other organizations still aren't doing enough to secure their Web sites and apps."
There's no easy way to turn around the problem, Ullrich said. For Web applications and servers already deployed, the best defense is thorough scanning with a Web application security scanner. Also, watch logs and deploy intrusion detection sensors. "When it comes to custom applications, many attacks and exploits are not straightforward, and they often need multiple attempts to succeed. This is something IDS will pick up," Ullrich said.
In fact, most experts advise periodic scanning with multiple tools designed to identify vulnerabilities at the network layer, application, and misconfigurations. "Even then, you don't always get everything. Some errors involving [business logic] require human analysis," said WhiteHat's Grossman.
Amol Sarwate, vulnerability lab manager at Qualys, said continuous awareness training may be one of the best defenses. "The development and attacker techniques are always evolving, changing. That's why new and even experienced developers need to stay informed, and get educated about secure development," he said. Sarwate points to the Open Web Application Security Project (OWASP) as a good starting point for learning about Web application security.
John Pescatore, security analyst at Gartner, is surprised about some facets of the spate of Web application vulnerabilities. "We had many of these problems in the early days of the Internet," he said. "It's amazing how we are repeating the same old mistakes, and the bad guys will inevitably play around with, and take advantage, of them."