Home > Security News > Web apps remain a trouble spot
Security News:
EMAIL THIS

Web apps remain a trouble spot

By George Hulme
05 Feb 2007 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

After more than a decade of organizations focusing on locking down network perimeters, endpoint devices and email, Web applications have surfaced as the new attack flashpoint. Last year was a bad year for Web application security--whether it was overseas hackers reportedly accessing credit card information from thousands of transactions on the state of Rhode Island's Web site, or universities inadvertently spilling sensitive student information, including Social Security numbers, onto the Internet.

"Cross-site scripting is all over the place; it's like the plague right now."
Jeremiah Grossman, 
WhiteHat's chief technology officer
Statistics back this up. Symantec said in its most recent Internet Security Threat Report that Web vulnerabilities constituted 69 percent of 2,249 new vulnerabilities the company documented for the first half of 2006, with 78 percent of "easily exploitable" vulnerabilities residing within Web applications. Mitre Corp.'s September tally of publicly disclosed vulnerabilities mirror those findings, with cross-site scripting vulnerabilities surpassing buffer overflows as the most reported vulnerability. Four of the top five vulnerabilities were within Web applications, development platforms, or databases often directly exposed to the Internet. Some other common and devastating problems include SQL injection vulnerabilities, directory transversal attacks, and PHP includes.

Experts warn that Web application attacks are going to escalate before security catches up. Johannes Ullrich, SANS Institute chief research officer, predicts 2007 will be peppered with major Web application-related security incidents where criminals overtake trusted Web sites to steal financial or other sensitive information.

The threats are changing. Chatty spyware and rapidly spreading worms have given way to more clandestine exploits designed to silently pilfer information from Web applications, or change prices on e-commerce sites. Then there's malware that silently infects Web servers and site visitors.

"The attackers have learned that highly aggressive scanning and propagation techniques don't yield more exploited hosts in the end," said Ullrich. "They'd rather infect a popular Web server with browser exploits and then quietly infect visitors to the site."

What are organizations doing about it? Not enough, said Caleb Sima, founder and chief technology officer at Web application vulnerability scanner provider SPI Dynamics. "It's a bigger problem than many enterprises assume," he said. "Despite years of Web applications being targeted, enterprises and other organizations still aren't doing enough to secure their Web sites and apps."

RSA Conference 2007

Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
That assertion is backed by WhiteHat Security's Web Application Security Risk Report, which said eight out of 10 Web sites have vulnerabilities that place them at significant risk of attack. The report, which monitors hundreds of sites each month, found that cross-site scripting, information leakage, and predictable resource location are the top three vulnerabilities. "We've found cross-site scripting in seven out of the 10 Web sites we monitor, and predictable resource location in one out of four," said Jeremiah Grossman, WhiteHat's chief technology officer. "Cross-site scripting is all over the place; it's like the plague right now."

There's no easy way to turn around the problem, Ullrich said. For Web applications and servers already deployed, the best defense is thorough scanning with a Web application security scanner. Also, watch logs and deploy intrusion detection sensors. "When it comes to custom applications, many attacks and exploits are not straightforward, and they often need multiple attempts to succeed. This is something IDS will pick up," Ullrich said.

In fact, most experts advise periodic scanning with multiple tools designed to identify vulnerabilities at the network layer, application, and misconfigurations. "Even then, you don't always get everything. Some errors involving [business logic] require human analysis," said WhiteHat's Grossman.

Amol Sarwate, vulnerability lab manager at Qualys, said continuous awareness training may be one of the best defenses. "The development and attacker techniques are always evolving, changing. That's why new and even experienced developers need to stay informed, and get educated about secure development," he said. Sarwate points to the Open Web Application Security Project (OWASP) as a good starting point for learning about Web application security.

John Pescatore, security analyst at Gartner, is surprised about some facets of the spate of Web application vulnerabilities. "We had many of these problems in the early days of the Internet," he said. "It's amazing how we are repeating the same old mistakes, and the bad guys will inevitably play around with, and take advantage, of them."

<< Return to our special coverage of RSA Conference 2007



Tags: Web Application SecurityApplication Attacks (Buffer Overflows, Cross-Site Scripting)Emerging Information Security ThreatsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Web Application Security
Using unique device identification for bank website security
Information security book excerpts and reviews
Black box and white box testing: Which is best?
InZero Systems launches hardware-based security gateway
Web application vulnerability assessment shows patching progress
Preventing SQL injection attacks: A network admin's perspective
Cisco acquires SaaS security vendor ScanSafe
Web application firewall use goes beyond compliance, company finds
Gumblar Trojan drive-by exploits spike following Adobe update
Some Facebook applications lead to Russian attack sites

Application Attacks (Buffer Overflows, Cross-Site Scripting)
Information security book excerpts and reviews
Quiz: How to build secure applications
Black box and white box testing: Which is best?
Adobe warns of critical update for Reader, Acrobat 9.1.3
9 Ways to Improve Application Security After an Incident
Developers Need Help with Security Errors
Buffer overflow tutorial: How to find vulnerabilities, prevent attacks
SQL injection protection: A guide on how to prevent and stop attacks
Experts rebuke programmers who use SQL injection as feature
SANS: Application threats, website flaws pose biggest security threats
Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

Emerging Information Security Threats
Cybercriminals invest in social networking attacks
Best practices for (small) botnets
Cybersecurity grant to fund research into critical infrastructure threats
RSA security conference 2010: news, interviews and updates
Hackers to sharpen malware, malicious software in 2010
Modern malware, stealthy botnets, adapt quickly, expert says
New ransomware Trojan pushes victims to buy software
Bruce Schneier on outsourcing, awareness training
Marcus Ranum on cyberwarfare, infosec careers
US-CERT warns of BlackBerry snooping software

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
anonymous Web surfing  (SearchSecurity.com)
buffer overflow  (SearchSecurity.com)
cache cramming  (SearchSecurity.com)
cookie poisoning  (SearchSecurity.com)
dictionary attack  (SearchSecurity.com)
distributed denial-of-service attack  (SearchSecurity.com)
JavaScript hijacking  (SearchSecurity.com)
National Computer Security Center  (SearchSecurity.com)
threat modeling  (SearchSecurity.com)
trigraph  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts