In-Depth
Three Steps to Web Application Safety
With more than 100 million Web applications deployed in the world, perhaps fewer than 5 percent of are being tested for security vulnerabilities. We offer three simple steps to help you secure your Web applications.
by Mandeep Khera
With U.S. e-commerce retail sales climbing to a staggering $135B (see note 1) in 2007, overall e-commerce sales including B2B extending beyond a staggering $1 trillion (see note 1), and more than 238 million Internet users (see note 2), enterprises face a mammoth problem. In the 2007 holiday period alone, millions of U.S. consumers spent over $29B on online shopping.
Hackers haven’t spared any sector, attacking banks, government agencies, universities, retail, and consumer giants such as Google, Yahoo, and Ebay. While statistics from various sources differ, roughly 75 percent of all attacks are occurring at the Web application layer.
Why? Because that’s where the vulnerabilities are.
Although most corporations and government agencies have done a reasonable job of securing their networks with firewalls, intrusion detection and prevention systems, and securing event monitoring. Web applications have generally been ignored. In 2007, roughly 70 percent of new published vulnerabilities were related to Web applications. With more than 4,000 new Web application vulnerabilities detected in one year, you think it would sound a few alarms, but organizations have been using the snooze button when it comes to protecting their Web sites.
To understand how we ended up in this predicament, let’s briefly review the security issues that have been nagging IT organizations across the globe.
The 1980s were all about desktop security (such as viruses from Fish to Michelangelo); the 1990s brought a major thrust toward network security as hackers feasted on vulnerable networks. In the last 25 years, enterprises have spent billions of dollars to protect their desktops and networks (adding intrusion detection systems and firewalls), but very little effort has been put on securing Web applications. It’s like locking all the doors and leaving the house key under a transparent mat!
What have the companies done to address this problem?
Many Fortune 1000 companies (especially those in the financial services and e-retail sectors) have made serious efforts to test Web applications and fix vulnerabilities. Some, albeit a small number of corporations and mid-sized companies, have also started to assess their Web applications. However, with more than 100 million Web applications deployed in the world, we believe fewer than 5 percent of applications are being tested for security vulnerabilities.
The inertia in the small and mid-size business market can be traced to a lack of knowledge. Most of these companies still mistakenly believe that network firewalls, IDSs and even SSL can protect them from hackers coming through Web sites. The fact is that exploitation of Web applications by hackers cannot be stopped with these technologies.
What can organizations do?
By definition, Web sites are open so customers and partners can transact business with the enterprises. You can’t shut down the Web sites but you can do something to secure your applications.
Here are the steps companies should follow to address security issues:
Step 1: Assign an owner and a project team
The first step is to find a person who can be accountable for application security. For many companies, this is still an afterthought. Responsibilities are assigned to a network security or an operations person. Application security should not be an afterthought; it should be on the forefront. Having a dedicated person and a team is vital to solving this problem.
Step 2: Pick a solution
The owner and the team can decide on the solution, but must take care not to confuse the network vulnerability solutions with Web applications. There are a number of solutions available:
- Internal manual testing: Companies can use existing employees to do manual penetration testing of Web applications. Although this seems easy to implement, there are major problems with this approach: it’s very hard to find application security expertise as well as the length of time needed to assess the applications.
- Manual Pen-testers: Many boutique firms, as well as the “Big 4” accounting firms, are focused on providing application security assessment/pen testing services. These firms have retained expertise and can provide a strong solution. The downside is that it can be cost prohibitive and can take months to complete.
- Automated assessment solutions: There are a many strong, automated solutions available that can examine all your Web applications to find vulnerabilities. Source code scanners can go through raw code to find vulnerabilities early. The downside is that some scanners can deliver a large number of false positives and find only a fraction of the total vulnerabilities. Black box testing solutions, also known as dynamic testing or Web app scanners, attack applications through the user interface, truly emulating hackers. Some of these test in all critical lifecycle stages, including development, QA, and production.
- Software as a Service (SaaS): A few vendors, including some software vendors, offer SaaS or on-demand services that provide the expertise and resources remotely. With this option, customers don’t have to buy software or hardware. Customers do, however, need to be careful in selecting the right SaaS player. Some vendors don’t conduct extensive background checks on their employees, or they may hire fresh graduates, compromising the integrity of the process. Remember, you are letting a third party view sensitive vulnerability information -- this is acceptable if the vendor has taken precautions to protect your information as their own. Furthermore, the SaaS model doesn’t fit in with all corporate cultures. Some companies, regardless of their size, don’t outsource most of their security functions.
The ideal solution depends on your environment and objectives. For example, if you are a small to mid-sized company, a SaaS model might be the best option. If you are a large corporation, an enterprise software solution with a combination of on-demand services to offload extra workloads would be ideal.
Step 3: Fix the vulnerabilities
Now that you know what the problems are, you have to put a strategy in place to fix them. First, prioritize your vulnerabilities. Some vendors help you do this by providing a quantitative score to vulnerabilities. Next, put a plan in place to fix the top vulnerabilities first. Until they are fixed you might want to take down the Web functionality if possible or use an application firewall to block attacks targeted at those vulnerabilities. The plan should call for ongoing continuous testing of all Web applications including those that are already deployed in production (often the majority of a company’s applications).
Cybercrime Today
Cybercrime has grown. Just two years ago, “script kiddies” and “click kiddies” were attacking the Web sites to show their prowess in hacking. In 2008, there are many organized hacking groups, some with the political backing of foreign governments and others driven purely by financial motives. There are millions of attacks attempted every day at companies of all sizes as well as many government agencies. Many of these attacks are successful and often the organizations are oblivious to the intruders sometimes for many months. Under government regulatory requirements, once an attack is discovered, companies must publicly disclose it and remedy the situation, which can be expensive.
If you are a senior security executive at a corporation or a government agency, you can proactively start testing your Web applications for vulnerabilities by using one of the options we’ve described, or you can be hacked. The choice is yours.
Note 1: Source: U.S. Department of Commerce
Note 2: Source: Nielsen/Netratings
- - -
Mandeep Khera is the vice president of marketing at Cenzic, an application security and risk assessment solution provider. He has more than 21 years of diversified experience in marketing, engineering, business development, sales, customer services, finance and general management. You can reach the author at [email protected]
.