If your company has a monthly comprehensive Web-site security assessment and conducts weekly scans, you can stop reading right now. You already understand the challenges of application security and the risks of ever-changing Web-site code. The rest of you, read on.
Unfortunately, there are intruders who are aware that many companies' Web-site security is not up to par, and they are exploiting flaws faster than system administrators can protect themselves. A report published by Gartner states that 75 percent of cyberattacks occur at the application layer. In fact, the Federal Trade Commission (FTC) has already filed charges against Guess? Jeans and Victoria's Secret for insecurities that revealed private customer information to a third party. As part of the FTC's push for consumer-privacy protection, the settlement forced the two companies to establish and implement comprehensive security plans. This reinforces the fact that Web-security assessments are a crucial part of a security policy.
The security incidents investigated by the FTC had one thing in common: The custom Web applications, which are responsible for handling the online stores, were insecure. Using nothing more than a standard Web browser, the intruders managed to penetrate the firewall, paid no attention to SSL and exploited a weakness in the Web-site code that allowed access to credit-card numbers, order information and other private customer data.
Why Are Web Sites Insecure?
Web applications are insecure for three main reasons:
- Web-site code is frequently up-dated with new features and enhancements. Every new line of code has the potential to introduce new security weaknesses. This has become a fundamental reason for Web-site compromise and online fraud. No matter how insignificant a new feature may seem, its potential impact on security must be considered.
As businesses react to customer demands, Web-site code is updated regularly. Web sites are adding shopping carts, wish lists, customer-feedback forms, one-click buying, user accounts, order tracking, user tracking, polling, advanced search and hundreds of other features. There is constant management pressure for deadline release of new features regardless of the security implications. This is the status quo for many Web-development groups.
Also, network-security scans do not detect weaknesses in Web banks, e-commerce engines, online auctions or anything else on the Web site. More chief security officers are becoming aware of these issues and are having Web-security assessments performed several times a year in addition to network-security assessments. In this way, no new code that can cause trouble slips through the cracks.
- Traditional security solutions, such as firewalls and secure socket layer (SSL), do not protect a Web site from being compromised. A firewall is used to separate the outside world from a protected network. Like a security guard at the front gate, a firewall protects the perimeter from trespassers. The guard checks each visitor, allowing to pass only those that are legitimate. But, when visiting a Web page, the entire world is allowed to participate. While everyone might not be able to use the network printer, they can certainly explore every corner of the Web site.
Also, like the security guard, a firewall has no idea what visitors are doing once they are past the gate and on the inside. The firewall cannot determine whether a visitor is buying a CD or stealing credit-card numbers. The guard is stuck back at the gate checking IDs, and everyone on the inside is free to do as they please.
SSL is a misunderstood security measure. It normally serves two functions: The first is to determine if the server being connected to is what it claims to be and not some imposter in the middle; the second is making sure the information the Web site is given (credit-card numbers, Social Security numbers, etc.) is not stolen in transit. However, SSL has no control over how secure the Web site actually is or how it safeguards that data.
- Automated security-testing tools only solve half the problem. For the average corporate network, there is a collection of familiar hardware and software installations. There are firewalls, Windows machines, Linux boxes, SQL servers, print servers and a handful of other garden-variety devices. With minor configuration changes, these products fulfill the basic needs of almost every company. As a result, most companies use the same products on the network layer, making vulnerability-scanning easier.
But for a Web site, unique customer interaction is a central requirement and typically can't be offered by off-the-shelf software. Every function behaves differently from one Web site to the next. To understand how differently these functions behave, visit Netcraft (news.netcraft.com), which has excellent surveys for reference. Netcraft continually inspects nearly 46 million Web servers for bits of information. How many of those Web sites do you think are the same? Or how many will remain the same as time goes on? The short answer is that Web sites are more diverse and maintain a higher rate of change than your standard network.
This is why network-vulnerability scanners can identify 95 percent of the vulnerabilities on the network, while Web-application scanners struggle to identify 50 percent. Given these circumstances, it's ridiculous to expect a scanner to find all problems in all, or even most, Web applications. Web-security experts in combination with a vulnerability scanner must handle the extra workload. As your Web site is updated, so, too, should your Web-security assessment.
The Bottom Line
Securing a Web site requires hard work and diligent effort. It means implementing and enforcing a comprehensive security policy and having frequent Web-site security reviews. It means paying attention to detail and staying on top of every change. When conducting business online, organizations should provide a high degree of security and privacy when it comes to their customers' personal data. To improve your security standing, take the following steps:
- Consider security implications from the beginning of the application-development process.
- Involve the security staff throughout all stages of the application-development process.
- Perform a security assessment at least once a quarter or more often depending on the software rate-of-change. All code will contain bugs. Experienced Web-security staff can mitigate this.
- Perform an automated security scan at least twice a month or as applications change.
- Cover all technical Web-security issues with your security scanner. The scanner should be able to support large Web sites, maintain a logged-in state, yield a low volume of false positives and remain current.
- Maintain a current patch level on at least all of your externally facing Web and application servers.
Jeremiah Grossman is the founder and CEO of WhiteHat Security. He can be reached at firstname.lastname@example.org.