As you can see, I spend most of my time thinking about Web Application Security and what is going on in the world to do with this. (It’s my job!) Even if it isn’t your job, just a little research into the web security and you will look at the WWW in a whole new way. Everyday we are reading about new attacks on prominant websites, like yesterday we heard of the CBS website being attacked by Russion Hackers. In this case they were able to distribute malware to vistors to the CBS website. (Read Article)
So why is it we have to do more about web application security?
Security risks are getting greater and greater everyday and they will continue to get greater as we go into 2009 and beyond. 7-10 years ago, hackers were out for a little individual fame. They may hack into a site, change some text or maybe an image and then go boast to their underground friends. The cost to the victim was minimal, more of an incovienience. As we all know over the last few years what we can do on the web has become a whole lot more sophisticated and with this we entrust a whole lot more personal, confidential information to the web world. We bank online, apply for credit, shop online and organisations we entrust all this information too transfer it internally across the web. As we, end users, have changed our patterns and increased our use of the web, the cyber criminals have also increased at a greater rate the exploitation of the web. Hacking is now an industry and it is growing. The cost to an organization can not only be large on the money side but also a huge cost in loss of face. Yes, there is an increase in regulations out there that require organizations to meet higher security standards, but there is a whole lot more we can do as organisations and individuals.
For the last 15 years organizations have spent millions of dollars securing the perimeter of their organizations with firewalls and their servers with things like Intrusion Prevention Systems (IPS). Everyone has done a pretty good job of this and we could almost go as far as saying that the network and servers have been locked down. Millions of dollars well spent! However, the inherent architecture of the web opens holes in these systems. For example, you need to open port 80 or 443(SSL) to enable web traffic to come into your organizations. By allowing your trusted users to come it through these ports, you are also allowing hackers access to your systems also. (In fact hackers love SSL. It means they can hack undetected!) Organizations need to shift their focus and invest in securing their applications to combat this. With many shifting to Web 2.0, the perimeter has just shifted, putting more control in the hackers hands. (I think a future blog post is required here)
So, how do you secure your applications?
Almost all web application security vulnerabilities lie within the code itself. Yes, you guessed it (Well at least I hope you did), security vulnerabilities are a code defect. You need to write secure code! Simple! Not really….we have a problem here. We have a gap. Security specialists know security but they don’t know the code and Developers know the code but they don’t know security. This is where organizations need to mandate secure coding practices and build this as part of the Security Program. Educating about and eliminating the the OWASP Top Ten is a good start. To aid developers there are a number of solutions out there that developers can use to scan and validate their code and at the same time teach them secure coding. (HP DevInspect is an example)
Address web application security at the development level is a good approach, but to ensure you organization is best protected and to compliment secure coding, your should also check your applications for vulnerabilities during QA as well as post production (New vulnerabilities are discovered everyday). An organization serious about web application security should implement a combination of manual penetration testing and web vulnerability scanners (HP has one of these also :)) at these points.
Last year the Web Application Security Consortium did a study of almost 32,000 websites. Over 85% of these websites had a vulnerability that coupld give hackers the ability to read, modify and transmit sensitive data.
Are you secure? Do you actually know?