Vulnerability Management

Push comes to shove

Internet companies are banding together against a common enemy, says PayPal's Andy Steingruebl. Karen Epper Hoffman reports.

Andy Steingruebl wants you to know that he's a glass-half-full kind of guy when it comes to information security.

The reason for this optimism is not strictly rooted in the groundbreaking work that Steingruebl, senior manager of customer and ecosystem security for PayPal, and his team are doing to protect users from today's assortment of internet threats. It is also related to teamwork underway among the larger network of internet giants, PayPal included. There is a growing understanding that for one company to succeed in the hostile skies of cyber, everyone must chip in. 

No wonder Steingruebl is feeling confident about the future.

“It's easy to think of security guys as pessimists,” says Steingruebl. “I'm not.” 

Working to protect their own customers from all-too-common threats, like SQL injection and cross-site scripting, as well as collaborating with each other, PayPal and its peers are fighting a security war on multiple fronts. The good news is they may be winning. 

Despite admitted “scalability problems” as the internet expands exponentially, Steingruebl says security is becoming more and more important, and the web is getting safer. While common security threats do persist, he says that the industry has come a long way in its approach to contending with multiple vulnerabilities at once. 

“Worrying about one thing is just too narrow,” he says. “Attackers go to the lowest point across a multitude of fronts.” And, it's not just the technical pieces and the protocols that security executives are focused on, he adds. “You need to have a diverse approach, like an investment strategy.”

Part of this involves getting to the root of web security and focusing on core issues, where Steingruebl says the industry has had some good success. Embedding fundamental protections into the web and browsers themselves is key, he says. 

“One of the places where we have been spending a lot of energy over the past four years, which has come to the foreground, is with the issues around HTTPS…or SSL,” he says. The internet protocol HTTPS (HTTP over SSL) adds another element of security – the secure socket layer (SSL), which employs digital certificates so users can authenticate senders – to normal transmissions over the internet.

Steingruebl references the recent hacking tools – BEAST (Browser Exploit Against SSL/TLS) and CRIME (Compression Ratio Info-leak Made Easy) –  that were created in 2011, respectively, and 2012 by security researchers Thai Duong and Juliano Rizzo to showcase the vulnerabilities in the ubiquitous transfer protocol. For example, CRIME allows hackers to get access to encrypted web traffic by tricking a vulnerable browser into sending compressed encrypted requests to an HTTPS-enabled website and then exploiting the information that gets leaked. Similarly, BEAST enlists JavaScript with a network sniffer to decrypt encrypted cookies and hijack confidential sessions.

Meanwhile, Firesheep, an extension for the Firefox web browser that was released in 2010, uses a packet sniffer to intercept unencrypted cookies from social media websites, like Facebook and Twitter. This extension too was created to point out the risk of hijacking vulnerabilities inherent in HTTP. 

Steingruebl points out that threats like these have driven greater attention to the need for core web security and, for many security professionals, has increased the desire to collaborate. 

“There's been a slow but steady understanding here, but way more progress needs to happen,” he says. 

Additionally, PayPal has also played a major role in the drafting of HTTP Strict Transport Security (HSTS), a web security specification where the web server declares that a complying user (like a web browser) can interact with it only using secure HTTP connections. The HSTS specification was published in November, after being approved by the Internet Engineering Task Force (IETF) as a proposed standard. 

To that end, PayPal has been instrumental in helping develop a technical specification, DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC was created and is supported by a group of companies – including Google, Microsoft, LinkedIn, Facebook, Yahoo, Bank of America and JP Morgan Chase – to help mitigate potential vulnerabilities in email authentication protocols. In a nutshell, DMARC stardardizes how email recipients authenticate their email through traditional mechanisms. 

Michael Barrett, head of security for PayPal, sees such a development as a clear example of the commitment his company and the industry at large are showing for better web security. “At PayPal, we always try to build the safest products that we can,” says Barrett. “However, it became clear that there are issues with the web technology stack that prevent the ecosystem from being as safe as possible.”

Realizing that the company was in a position to lead change for a safer online environment, Barrett instructed his team to move forward for safer practices. “We have consciously taken aim at fixing a number of these open standards, and it's Andy and his team who are charged with doing so,” Barrett says. “Given their recent successes with such specifications as HSTS and DMARC, it's evident that they are gaining good traction in their efforts.”

Limiting ongoing threats

PayPal is not alone in its efforts to shore up web security. Sid Stamm, lead privacy engineer for Mozilla, says his company recognizes the importance of security both in its browsers and for its hosted web applications. “Mozilla web applications play critical roles and are trusted by our users to responsibly manage their accounts and user data,” Stamm says. As such, the browser developer employs a number of techniques across the company's secure software development lifecycle (SDLC) to reduce risk and minimize the likelihood that critical security vulnerabilities could be present in its web applications, he says.

For example, one pervasive technique used by hackers to attack data-driven applications is SQL injection. By including portions of SQL statements in an entry field, hackers can sometimes get a website to pass a new rogue SQL command on to its database. In effect, SQL injection exploits the vulnerability in the application's software. Another common class of vulnerability is cross-site scripting (XSS), where attackers inject client-side script into web pages so attackers can bypass access controls. In both cases, Stamm says, Mozilla has introduced guidelines that help mitigate these potential coding weaknesses. In the case of SQL injection, Mozilla supports parameterized queries (placeholders are employed for parameters and the parameter values are enacted upon execution), and to prevent cross-site scripting, it uses contextual-based output encoding (which gauges whether an untrusted string needs to be placed within an HTML document). 

“Further, within our secure SDLC, our security assurance team actively engages with developers throughout the entire [period] to perform threat modeling, code review and penetration testing,” says Stamm. “Our goal is to layer multiple approaches and techniques to deliver the most secure code possible.”

Stamm adds that the company is helping developers secure their own offerings from such vulnerabilities too. 

Mozilla is focused on helping empower web developers to secure their sites, he says, including helping to promote technologies such as HSTS and Content Security Policy (CSP), an added layer of defense that helps to detect and mitigate XSS and data injection attacks. These strategies allow security teams and developers to protect their sites' integrity with cooperation of web browsers, he says.

“[A] secure development program is more than just best practices for secure coding,” says Stamm. “We've developed a hardened base web application template so all of our developers are starting from a default-secure state that automatically leverages many of these security controls.” The hardened base template is called Mozilla Playdoh and is based on Django, the open source web application framework. Mozilla Playdoh is free and open for anyone to use or contribute to, Stamm adds.

Other security leaders see progress in this area as well. Jeremiah Grossman (left), founder and chief technology officer for WhiteHat Security, a Santa Clara, Calif.-based website security solutions provider, says a number of companies are making progress in limiting security vulnerabilities. During a webcast in December, Grossman pointed out that SQL injection, while still a prevalent threat, has finally slipped from the top 10 most popular web security attacks. “It may never go away entirely,” said Grossman, “but it's going down.” 

But, while some vulnerabilities may be abating, others are still emerging. In 2008, Grossman helped coin the term for another pervasive web security issue: clickjacking. According to Grossman, clickjacking is a simple technique to exploit. In these attacks, a web user is tricked into clicking on a link that appears to be legitimate, but instead embeds a redirect. The strategy can allow miscreants to activate a user's camera or access their information. 

“Facebook endures thousands of clickjack attacks every day,” says Grossman, adding that this type of attack also can be used, more subtly, for advertising fraud. “This will be with us for quite some time.” 

To defend against clickjacking, Mozilla supports X-Frame-Options, where website developers can add a page header to help detect and prevent the user interface of another web application to be presented to the user in a manipulated way, Stamm says. For its part, Google uses industry-standard defenses built into web browsers, along with with design-level mitigations, such as two-factor authentication, to validate user intent for sensitive actions, says Matt Moore, a security engineering manager for Google.

“Our view on fixing these web security problems is to look for ways we can not rely on every developer doing something right all the time or every consumer doing something right all the time.”

– Andy Steingruebl, senior manager of customer and ecosystem security, PayPal

Moore says that even the best processes may introduce some bugs. “We've thought very hard about the best ways to detect and fix these kinds of things swiftly,” he says. “Beyond conducting implementation and design-focused security code reviews, we develop our own state-of-the-art automated web application scanners and provide tools to our manual QA testers. We've designed our procedures to help us respond quickly – in many cases pushing changes to production systems in a matter of hours.”

However, one issue developers are continually faced with is the fact that technology evolution moves at a rapid pace. “Security teams need to quickly learn and understand new technologies, as well as the security implications they bring with them,” says Moore. For example, he says that over the past few years, development for complex web applications has become increasingly reliant on JavaScript. Subsequently, a number of vulnerabilities – such as DOM-based XSS, where an attack payload is instigated when the DOM (Document Object Model) environment is modified in a victim's browser – are becoming more prevalent. “Anticipating these trends and moving to mitigate risks before they are a big problem is key,” he says.

Google prefers to use technologies that are more secure by design and help the software developers avoid introducing new bugs, says Moore. Case in point: Google's HTML templating system encodes user input to separate it from database commands, thus making it less vulnerable to SQL injection.

Across the ecosystem

PayPal's Steingruebl says that although the efforts of individual companies are meaningful, it's the work of organizations collaborating – improving their offerings, creating and evangelizing solutions and raising awareness – that makes a big impact on bringing about an evolution safeguarding the web. The roots of this partnership started in earnest in 2006, when phishing was a new up-and-coming concern. “We realized that doing something about phishing…it needs to be across the ecosystem,” says Steingruebl. “A chain is only as strong as its weakest link.”

Working with other major internet companies is where the change needs to occur, he says, pointing out the attacks on domain registries and top-level domains outside the United States, in Turkey and Romania, as examples of how attacks on outside players can have a powerful ripple effect on the security at other major companies in other parts of the world. 

Stamm says Mozilla, like PayPal, is actively involved in a variety of organizations to promote and share advancements in security. “We regularly engage in public standards forums to design and deploy security protocols and other technologies with security in mind,” he says. 

Too, PayPal and Mozilla are both involved with the Open Web Application Security Project (OWASP), a nonprofit that brings companies together to improve the security of software. Stamm says Mozilla is always developing and sharing free tools in projects, like OWASP Zed Attack Proxy (or ZAP), which helps security teams and developers scan for vulnerabilities. Steingruebl says PayPal has played a pivotal role in helping form web security working groups at the IETF, and the World Wide Web Consortium (W3C).

Steingruebl says changing expectations have also colored web security efforts, giving his team a more realistic perspective. “Our view on fixing these web security problems is to look for ways we can not rely on every developer doing something right all the time or every consumer doing something right all the time,” he says. 

As well, Moore points out that vulnerabilities in web-client software remain a major concern. In many cases, he says, despite the best efforts of software engineers, the security of their web applications is undermined by poorly written web browsers or browser plug-ins. These problems can introduce threats, like universal cross-site scripting vulnerabilities, so that even if one application is free of XSS, other users might still be at risk. 

“This situation is slowly improving as client software security becomes more robust,” Moore says, “but it's still a large challenge for the industry.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.