Web application security is critical for every internet-facing initiative, especially in light of an unending growth of websites. Lurking among even the most popular places on the internet are dangers that proliferate as fast as the websites themselves.
These threats inhabit web applications – functionality provided to users through browsers and powerful backend processing capabilities. Cybercriminals increasingly see the opportunities in weak applications, and are shifting their activities accordingly, because that's where the virtual money is, to paraphrase bank robber Willie Sutton.
The internet is home to nearly 240 million websites, according to U.K.-based internet services company Netcraft.com, with more than a million being added every month. The new sites typically employ the latest and greatest new technologies, but also can harbor the greatest vulnerabilities. Security vendor eSoft claims that it is currently aware of 1.55 million malicious websites.
In dealing with the problem, often the most difficult part can be determining which sites have become compromised. “I can tell you that most organizations, if they have more than five websites, chances are that they do not know what websites they own, what they do, or what they mean to their business – which is a poor place to start when trying to rationalize security measures,” says Jeremiah Grossman, founder and CTO of WhiteHat Security, a provider of website risk management solutions.
And, seeing an application that is free of vulnerabilities is rare, adds Bill Pennington, SVP of product services at WhiteHat Security. “The problem of web application security is completely different from the security problems a corporate security officer typically deals with.”
In fact, advancements in web technology complicate the problem even further and have resulted in increasingly complex applications which are poorly understood from a security perspective.Michael Sutton (no relation to Willie), VP of research at cloud security company Zscaler, says, “Web 2.0 technologies have driven an explosion in intuitive, user-friendly web applications.”
This all adds up to a less than sanguine security portent, at least for the time being. The current security posture on the web is pretty dismal, Grossman points out. “In 70 to 80 percent of the sites we look at – which tend to be from companies that really care about security – we find flaws or vulnerabilities that could lead to fraud or loss of data.”
The web attacks that attract media attention represent a shift from network-based attacks to applications. Pennington says that the reason attackers are moving to the application layer is that the industry, by and large, has done a fairly good job of making the network layer secure.
“The bad guys have been moving into this space for the past few years, but as a security industry, we have not been moving as fast as the bad guys.”
The security landscape and the threat environment – terms borrowed from the physical world and applied to cyberspace – have been reshaped by the changing nature of attacks.
“Whether it's a web-based worm running rampant on a popular social networking site or an injected IFRAME associated with a botnet, attackers are leveraging the poor security of web applications to attack the users that visit them,” Sutton says.
But the attackers are not necessarily looking for data directly from sites they target. It's more a matter of leveraging the visitors to the sites, which can number in the millions over time.
“There are guys that scan 24/7, and they are looking for vulnerabilities across the web,” adds Grossman. “They don't want to get data from the websites, they just want to infect it so that when a visitor hits the site, they get infected.”
How were so many applications deployed with so many vulnerabilities? Two main reasons: First, most developers were not trained to think about security when creating applications. During the client-server era, there weren't many public-facing applications – it was not seen as a major issue. The web was open, which was great for business, but with the popularity of the web came the scourge of the hackers.
Secondly, even developers who are trained in security and really understand security issues suffer from lack of time. Most developers are extremely busy and under a time crunch to get applications out on deadline. They often don't have time to do unit testing, forget about security testing.
To address the problem, there are several lines of defense. Still, the main approach now is to identify problems as they manifest themselves. This can be through vulnerability management or by blocking known threats with web application firewalls.
“There must be two strategies,” Grossman says. “One to deal with existing websites and another to deal with the next 240 million websites before they go up.”
Vulnerability management typically means testing web applications – penetration testing and scanning applications dynamically (with running code) or statically, using source code scanners.
One current approach is to scan and assess the vulnerabilities – with humans and through automation – and put those results in a web application firewall (WAF) to perform a “virtual patch.” That is, a web application firewall – designed to block traffic based on known vulnerabilities – would be updated with parameters to block any possible attacks. “The web application firewall gives you control over what is coming in and going out of an application,” says WhiteHat's Pennington.
Virtual patching can stem the tide of attacks, at least initially, but the problem should be addressed at a more fundamental level. When the time, motivation and budget allow, the code flaws must be fixed.
“[However], source code analyzers cannot tell you if your code is vulnerable to an attack,” says Pennington, however. “They tell you little more than that a given input on a website is not going through the filter you have told it to go through, for example. A dynamic test determines how good the filter is, static testing determines if it has been applied or not. Both are important, but they are different,” he says.
The ultimate way to tackle the problem is to work with security frameworks within a strong software development lifecycle program. That is, integrate security into the application development lifecycle itself. This is done by including specific security-related activities into existing software engineering processes. This typically means identifying security objectives; applying secure design guidelines, patterns and principles; creating threat models; doing design reviews for security; doing code security reviews and testing; and then scheduling deployment reviews to ensure secure configurations.
“Ultimately, you need to build a whole program that involves all these technologies to address the problem,” says Pennington. “You almost have to build up the same kinds of security apparatus for web apps that correlate to security functionality on the network side.”