As one security researcher told me not too long ago, we are in the “golden era of the web attacker.”
At the time, we had been talking about virtualization and some of the risks that go along with that hugely important technology. But, as this researcher cautioned, the focus here and now should be on an the insecurity of the web.
Since that conversation some eight months ago, the web has only become a more threatening place. This is especially evident because of the uptick in legitimate websites being compromised to push malware. ScanSafe, earlier this month, reported a more than 400 percent increase.
What is necessary to stem the tide of web attacks? The consensus seems to be more secure code.
To this point, Microsoft this week issued a security advisory that offered companies free tools to scan for SQL injection vulnerabilities.
ScanSafe’s Mary Landesman, as quoted in the company’s Security Threat Alert Team blog, thinks the free tools, one of which comes from Hewlett-Packard, could prove helpful.
Hopefully the end result will be far fewer compromised websites and a corresponding decrease in the number of password stealers and backdoors being foisted onto users’ systems when they browse the Web. In May 2008, the rate of Web-based exposure to password stealers and backdoors had increased 855% compared to May 2007 – largely a result of these ongoing SQL injection attacks.
Another development on the secure coding front is the new Payment Card Industry Data Security Standard section 6.6 guidelines, which take effect Monday. While they don’t necessarily address the possibility of an attacker compromising a legit website to spread malicious code, they do speak to writing secure web applications as a way to protect customers’ credit card information.
Under the rules, which are enforced by the payment card brands, merchants can either implement a web application firewall or a conduct a code review.
The importance of building secure code is more important than ever before. Let’s hope these recommendations (from Microsoft) and requirements (through PCI) give companies the nudging they so desperately need.