TDR

Developers of Web 2.0 apps must build in security from the start

August 8, 2007

But this newer propagation method comes as no surprise to security experts who've been studying the many risks in Web 2.0. User-generated content of various, rich data types uploading to public web servers provides a new area on which to launch attacks against millions of members in these closed, trusted communities, they say.

"Web 2.0 is not a specific set of technologies and it's not well-defined, but it amounts to an increased share of data between the client browser and the service side application," says Tom Parker, senior research manager, Verizon Business. "In this sense, you're introducing more variables, which is increasing your attack surface."

The good news is that pros know a lot about popular attack types because these have been around since early web days. Now, though, they need to wrap those lessons learned into Web 2.0 application development lifecycles, which most organizations aren't doing, says Alex Stamos, founding partner, iSEC Partners, and a recognized speaker on Web 2.0 framework security.

And that's a problem because Web 2.0 vulnerabilities are not just a social networking problem anymore. They're quickly becoming an enterprise problem, and are already becoming strategic business drivers, particularly in the area of thick-client legacy upgrades, says John DeBenedette, vice president of information technology for Parsippany, N.J.-based INTTRA, which uses Web 2.0 in some of its e-commerce logistics applications for ocean carriers.

Nobody's broken down the number of new vulnerabilities introduced in Web 2.0 technologies because most reports focus on the browser vulnerabilities that are exploited. But a keyword search of "YouTube malware" brought up more than 2.3 million hits.

Escalation in web applications

Unsurprisingly, the growth in Web 2.0 coincides with new web application vulnerability escalation. According to Symantec's Internet Threat Report, web application exposures accounted for 77 percent of easily exploited new vulnerabilities in the last half of last year.

"[Web 2.0] puts radical trust in the data creators," says Dan Hubbard, vice president of security research at Websense. "A lot of this has roots in AJAX [Asynchronous JavaScript and XML], in particular, and object models like Microsoft's XML HTTP Request Object, because they allow web applications to interact with the client in ways that they couldn't previously."

Because these XML objects are wrappers around active code, the files inside those wrappers could contain malware that gets past traditional defenses. So enterprises must not trust the headers to accurately define the content inside, say experts. That means integrating their Web 2.0 applications into existing web security, says INTTRA's DeBenedette, whose company processes 10 percent of the world's container shipping.

"With frameworks like AJAX, which automate a lot of web development functions, you run the risk of bypassing your web server mechanics and security," he explains.

Ideally, most developers are already wrapping security into their Web 2.0 application development and lifecycle quality assurance programs the way INTTRA is. Sadly, say experts, this is not usually the case. In Web 2.0 application development, they say, security is largely overlooked.

"The real challenge of web application security is the push-or-die pace of code changes, which leaves no time for quality controls," says Jeremiah Grossman, CTO of Santa Clara, Calif.-based WhiteHat Security, which performs web application testing. "So my advice is to prioritize and start small."

Large companies can have tens of thousands of web sites, he continues, but maybe only 50 of them are taking or exchanging private data in any Web 2.0 kind of way. So, he advises, start by locating those critical applications, then stress test them to see how they stand up against olden day attacks, such as input validation, XSS, SQL injection, and cross-site request forgery (CSRF).

Watch your logs

Stamos predicts cross-site request forgeries to make a comeback in Web 2.0 technologies. While similar to cross-site scripting, cross-site request forgery doesn't require an attacker to inject unauthorized code into a website. Instead, it merely transmits unauthorized commands from a user the website trusts, which in the case of the social network, could be millions.

CSRF attacks are not well understood by web developers and few defense resources are available, experts say. Nor have organizations done a good job protecting their web applications against cross-site scripting.

"Until we make security as important to the development lifecycle as scalability and performance, we'll have all these vulnerabilities in web applications," says Mike Weider, the founder and CTO of Waltham, Mass.-based Watchfire, which makes automated vulnerability testing products. "Therefore, we need to make web application security a foundation of developers' curriculum."

Because of this threat landscape, reactive protections are also imperative, says DeBenedette. This means watching your logs for signs of trouble and snuffing it out as fast as you can.

In this way, his team was able to stop a "low and slow" information gathering attack on one of their clients two years ago and put an end to it.

"These Web 2.0 applications are creating a lot of back-end traffic talking asynchronously between the client and back-end server," he says. "I can't emphasize enough how important it is to utilize your access logs, application logs, traffic and IDS/firewall logs by tying them back to legitimate usage patterns and flagging anomalous behaviors."

- Deb Radcliff is a veteran security writer and vice president of publishing at The Security Consortium, a San Jose, Calif.-based security think tank and testing firm.

prestitial ad