In-Depth

Web Security Remains Wild and Wooly

Getting into the sandbox might make you more secure

• By Chris DeVoney
• 10/09/2007

Last month I attended a presentation on Web security. If there was any good news, it was the weak humor of some Website hacks.

In one example, “Google is your security friend,” the following was entered into a search engine: site:domain.name cialis viagra. The domain name of choice was put in the obvious spot. The three possible results were not outstanding: No hits at all; Blogs or comment entries laden with spam; or a Web page with an inline-frame (IFrame) redirecting browsers to sites with ads for these drugs.

Although I couldn’t find a single hit using a sampling of Fortune 1000 firms, I found plenty of hits on blogs, wikis, and Web sites that accept user comments from people (or their automations) whose free time greatly exceeds their intelligence and, in some cases, their morals. I found hundreds of educational institution sites that are launch pads to erectile dysfunction ads. There was even one redirection on the Web site for the judicial courts for Washington state.

Every reader should periodically try a Google search against their own Web site and a few of their favorites. If you get hits, you know something is loose in your Web security.

Although the direction to some sites is particularly annoying, the same techniques that hijack your browser to those ads can also exploit you. It’s old news but construction and exploitation kits are being sold that plant or distribute malicious code on Web sites and their subsequent clients. Some names include WebAttacker, MPact, or R57 Shell. Many of these seek the holes in poorly configured, misconfigured, unpatched, or obsolete-software applications using Web sites running PHP, but many principles apply to other applications which do not.

Foundations such as PHP aren’t the only targets of attack. Frameworks such as ASP.Net and Java are also included. That's where a group such as Open Web Application Security Project (OWASP) Foundation comes in with standards, documentation, and tools.

Dinis Cruz is a security consultant for companies including Ounce Labs, the Web application scanner company, and he is also OWAPS’s chief evangelist. He makes a passionate argument for changes in Web application security.

Cruz thinks that review and auditing of applications is easier and more productive if programmers would isolate their I/O into one place/module in their code. When looking at structure, a program isn’t dangerous when computing. A program is dangerous when it moves data, such as manipulating disk-based or database files, or when moving data between keyboard and browser. Instead of ill-focused review of an entire program’s code base, the review can focus only where vulnerabilities may have an effect.

Cruz also calls for a paradigm change in frameworks best framed by the question: “Why does 100 percent of WinZip need access to everything?”

His case is that, in an ideal world, only 1 percent of the code does everything and the other 99 percent runs isolated in the sandbox. By knowing what specific resources are used by the modules, the OS should apply policies that stop malicious programs.

That’s an interesting idea. Wasn’t Java supposed to provide the sandbox? He retorts, “It’s just like .Net; it’s a great CYA strategy. but in the real world nobody uses it [the sandbox in either]. About everything is there, but we don’t focus on the industry, from the people writing code to the makers of the frameworks to use it.” Cruz makes a good point when talking about incorporating the sandbox and code identification hooks into the OS and environments. He thinks companies and institutions need to call the major vendors onto the carpet. “I challenge everyone to go to Microsoft and say, 'Hey, you’re telling me the key to using your OS for the next five years is not installing malicious code. So as long as I don’t install anything, don’t connect to the network, and don’t browse, I’m safe?' This is the Microsoft roadmap?

“I’ve argued this point with Microsoft for over three years, and if Microsoft had changed three years ago, we would be at a different place [in our security posture].”

Cruz is an equal-opportunity rabble-rouser. He tosses the same accusations at IBM and Sun for the same crimes.

Interestingly, he sees one hotbed of criminal activity, based on hacking and stealing, as parasitic to online gambling, where criminals can suck enough money to be profitable but not kill the host. The losses are considered just a cost of doing business.

Cruz’s top recommendations for corporations and institutions are:

1. It may be trite but businesses need to understand their risk.
2. Users must pay more attention to the software they purchase, and developers to the programs they are developing. Security only happens by design, not default. If you don’t ask for security, you won't to get it.
3. Apply pressure on the big companies (Adobe, IBM, Microsoft, and Sun, for example) to establish and use the sandbox.
4. Ensure security for the databases used by the auditors. Regulatory reporting, such as Sarbanes-Oxley, is about processes and all of it relies on database data.

Cruz suggestions are a bit of a mindbender, but when considering what has happened in the last five years with Web-based applications and their future, his into-the-sandbox thinking makes a case for better security.