To get security news and tips delivered to your inbox, click here to
IT is left to its own ingenuity to weave diverse products into a Web security protection scheme. Security practitioners will have to categorize externally facing websites and then make security investment decisions among technologies such as scanners, penetration testers, Web application firewalls, source code scanning and security development lifecycle (SDL) investment. There is no one best practice when protecting websites, which is a worrisome state for businesses and helps explain why security vendors report that most attacks penetrate browsers through infected webpages.
Companies that invest in finding and patching website vulnerabilities are ahead of the game. WhiteHat, a Web application scanning service vendor, reports that 63% of websites have a high, critical or urgent security issue. There are a few more important interfaces between a business and its customers and supply chain, yet websites are now the leading attack targets for malicious code such as cross-site scripting (XSS). WhiteHat's research into website vulnerabilities shows that security is a vexing issue that security vendors struggle to contain.
eroding as social engineering attacks climb in 2009, says Kaspersky expert: Kaspersky Lab
researchers have tracked more than 25,000 malware samples spreading through social networks in
XSS bugs, information leakage top list of website vulnerabilities Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.
How to prevent DDoS attacks on websites: Expert Mike Chapple reviews actions that you can take to protect yourself against large-scale DDoS attacks.
In time vendors will integrate offerings to form a cohesive set of security tools for IT. For instance, the day will come when source code passes through SDL tests that include a parameter description language to optimize Web application firewall features. Meanwhile, security teams need to utilize a variety of mechanisms to control the security profile of their websites.
Vulnerability scanning. Website vulnerability scanners discover websites and scan them for known vulnerabilities. The list of discovered vulnerabilities feeds software maintenance teams, possibly helps tune Web application firewalls and provides IT with an objective measurement of the security health of corporate websites. Website auditing, achieved with vulnerability scanning, is a core competency all businesses should be utilizing.
Penetration testing. Similar to vulnerability scanning, penetration testing also varies input parameters from browser scripts to detect weaknesses in the business logic expressed by the application code. Consumer oriented websites should pass penetration tests before production deployment.
SDL and source code security scanning. Correcting vulnerabilities in the source code is the preferred method when feasible. Approaches that integrate security scanning with source code libraries can help ensure a vulnerability is fixed across all corporate websites. However, other than the expense of code management systems, businesses hate to invest security maintenance resources in legacy applications, and in many cases the source code is owned by a vendor. White Hat's findings that a XSS vulnerability is averaging 58 days to fix indicates that security needs to augment source code corrections.
Web application firewalls. WAFs are devices residing in the data path between the user and the website to analyze http traffic, block attacks and prevent data leakage. WAFs can be effective in blocking attacks, but they need periodic tuning to keep in sync with the Web application, and not all websites merit the expense of a Web application firewall.
Browsers. The most popular browsers have features designed to reduce the risk of XSS attacks. Be sure end users of Microsoft IE8 are running the XSS filter and users of Mozilla Firefox have deployed the XSS Me add-on.
Application whitelists. IT can record the configuration of an approved website and application whitelists can detect and block unauthorized changes to the server environment.
Categorize all Web servers according to business risk. There will not be enough money budgeted to apply all of the above methods to every website. Prioritize websites by importance to the business, susceptibility to website vulnerabilities (e.g. complexity) and practicality of each security technology.
Four leaf clovers. (Only slightly tongue-in-cheek.) Assume all websites are vulnerable and will be exploited. Put processes in place to detect the presence of malicious code to limit the damage of a successful attack and preplan to take action in event of a breach. A little luck is always a good thing ;).
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to email@example.com.