Sei sulla pagina 1di 7
TEN THINGS YOU SHOULD KNOW ABOUT WEB APPLICATION SECURITY APRIL 2006 Jeremiah Grossman Founder and

TEN THINGS YOU SHOULD KNOW ABOUT WEB APPLICATION SECURITY

APRIL 2006 Jeremiah Grossman

Founder and CTO, WhiteHat Security

A

W

H

I

T

E

H

A

T

S

E

C

U

R

I

T

Y

W

H

I

T

E

P

A

P

E

R

C o p

y

r i

g

h t

©

2 0 0 6

w h i

t e h a t

 

s e

c u

r i

t y

- www.whitehatsec.com

Ten Things You Should Know about Web Application Security !

!

!

!

Page 2

Introduction

Phishing schemes. Stolen credit card numbers. Identity theft. Web applications have emerged as the target of choice for money hungry hackers. Attacks have moved from the network to the everyday web applications that people use to manage their lives— online shopping and banking, healthcare information management, insurance payments, travel booking and college applications.

The ramifications for companies are clear--loss of data, loss of consumer confidence and loss of brand integrity. No company can afford the black mark of a website hack. With many states mandating full disclosure, and the federal government close behind with its own efforts, the luxury of keeping these incidents behind closed doors has passed. Organizations must develop a strategy for web application security.

How can companies prevent these attacks? The first step is to understand the fundamentals. This white paper will examine ten vital web application security issues that affect software developers and information security professionals. Grasping these points will enable companies to understand the scope of the problem, and establish realistic approaches for securing websites. Consider these ten points a springboard for further exploration of web application security so that your organization and customers can avoid being victimized.

Ten Things You Should Know About Web Application Security

1. The Network Perimeter is Vanishing

Companies can no longer tout a locked down perimeter as the ultimate defense. Hundreds of millions of people worldwide use the Internet to bank, shop, purchase goods and services, and perform research. With each transaction, private information, including names, addresses, phone numbers, credit/debit card numbers, and passwords, is routinely transferred and stored in a variety of locations. To enable this flow of information, organizations must open up their firewalls, the very devices once thought to offer impenetrable protection. Billions of dollars and millions of personal identities and private information are exposed to hackers who find their way in through security vulnerabilities in web applications.

From a security perspective, firewalls and SSL offer little protection. Web traffic often contains attacks such as Cross-Site Scripting and SQL Injection that enter through Port 80 and are not blocked by the firewall. Contrary to a popular market misconception, SSL is not capable of securing a website, but instead is tasked with safeguarding data in transit. Once data is on the web server, it can be compromised whether or not SSL is in use.

Web application security is a specialized practice that focuses solely on the custom applications that sit on corporate web servers. Network scanning covers packaged, off-the-shelf applications. Applications developed in-house need custom security to fend off the attacks that bypass the network perimeter.

C o p

y

r i

g

h t

©

2 0 0 6

w h i

t e h a t

s e

c u

r i

t y

- www.whitehatsec.com

Ten Things You Should Know about Web Application Security !

!

!

!

Page 3

2. Over 80% of Websites have Security Vulnerabilities

Consider the fact that 8 out of 10 websites visited each day have a serious security vulnerability that puts corporate and customer data at risk. Add to that the irreparable harm done to a company whose brand is compromised by a publicized attack. It’s a call to action for any company doing business on the Web.

WhiteHat Security assesses the security of some of the largest and most visible websites in the e-commerce, financial services, and healthcare industries. Based on the aggregate data of thousands of website assessments, we‘ve determined that over 80% of websites have vulnerabilities. These vulnerabilities enable a hacker to access customer account data, execute administrative level functions, defraud the business, or halt operations, all serious business impacts.

Website vulnerabilities fall into twenty-four classes, as determined by the Web Application Security Consortium. Within those classes, there are vulnerabilities from the common, like SQL Injection and Cross-Site Scripting to the obscure, like Abuse of Functionality and Insufficient Process Validation. The most important thing to remember here is that when you’re talking about custom application vulnerabilities, they will be unique to your website. And, it takes a joint effort between the development and security teams to identify and resolve issues.

3. Faulty Input Validation is the Leading Cause of Web Application Vulnerabilities

User-supplied input must never be trusted, or more specifically, used, unless data integrity is first validated. User-supplied input includes query strings, post data, cookies, referers, and other information not originating from the website. This is the most important lesson for developers to learn in creating solid web application code. No other defense is a substitute. We’ve seen that by following a few simple guidelines, security and code quality can be improved many times over.

Guidelines for User-Supplied Input

Character-set: Only accept data containing a strictly limited and expected set of characters. If a number is expected, only accept digits. If a word, only letters.

Data Format: Only accept data containing the proper format. If an email address is expected, only letters, numbers, at symbol, dashes, and dots in the proper arrangement should be accepted. This includes enforcing minimum and maximum length restrictions on all incoming data. The technique should be used for account numbers, session credentials, usernames, etc. This limits the potential entry points for incoming attacks.

Escaping: All special characters from incoming data should be escaped to remove an additional programmatic meaning.

C o p

y

r i

g h t

©

2 0 0 6

w h

i

t e h

a t

s e

c

u

r i

t y

- www.whitehatsec.com

Ten Things You Should Know about Web Application Security !

!

!

!

Page 4

4. Defense-in-Depth Protection is Necessary

As we’ve seen too often in the news, even companies with vast resources and large security teams can fall prey to hackers. If these high-profile organizations still fall short, how does the average online business protect itself or its customers? The answer is Defense-in-Depth.

Defense-in-Depth is a practical approach to information security that the industry has come to rely upon. The fundamental concept is that there should be multiple layers of security protecting your assets. Layers of security include input validation, database layer abstraction, server configuration, proxies, web application firewalls, data encryption, OS hardening, etc. Once in place it is necessary to frequently test the security of those layers. The reasoning behind Defense-in-Depth is that if any layer is breached, there is another layer in place preventing compromise. With defense-in- depth, the risks associated with security lapses are significantly mitigated.

5. Many Vulnerabilities in Production Sites Do Not Originate in Development Code One approach to identifying security vulnerabilities in software is to examine the code for risk-prone operations prior to deployment. While the process is valuable, this alone does not provide a timely or complete picture of security. The execution structure of the code might not be apparent and functionality interplay with other parts of a web application might introduce new vulnerabilities. The more complex the system is, the greater the odds that a vulnerability will be missed.

It is difficult, if not impossible, to keep production systems and quality assurance (QA) systems in perfect sync. This presents a unique challenge to developers and security professionals. WhiteHat routinely identifies forgotten backup files, debug code, logic flaws, and configuration differences between various systems. Based on our experience, WhiteHat recommends assessments be performed both before and after new code is released. This policy ensures when the rubber meets the road, you’re protected.

Companies cannot risk exposure by missing production vulnerabilities. Hackers find their way in through production sites. Production sites must receive at least the same, but preferably more extensive security reviews than the development/QA sites.

6. When Web Application Code is Updated, Security must be Assessed

The fast-paced world of online business requires organizations to constantly develop new web-based promotions, products, and services to attract customers. This creates a high-pressure environment for developers responsible for new web application code.

C o p

y

r i

g h t

©

2 0 0 6

w h

i

t e h

a t

s e

c

u

r i

t y

- www.whitehatsec.com

Ten Things You Should Know about Web Application Security !

!

!

!

Page 5

Push now or die is the mantra. And the addition of even the smallest piece of code could negatively impact the overall security of a website. To maintain control, organizations must create a process or find an expert to identify vulnerabilities so that they can be resolved.

Many companies perform quarterly or annual web application assessments, yet like many WhiteHat customers, they push new code once a week. That’s like opening up access to a company’s data for most of the year. Knowledge is power in the vulnerability management arena. If developers and the security team know the risk they’re facing they can prioritize remediation and avoid a potential disaster.

For example, cross-site scripting, once thought of as a medium-severity vulnerability by many companies, has started to turn heads. By far the most prevalent website vulnerability in WhiteHat’s experience, cross-site scripting has received newfound attention because of a new generation of viruses and worms capable of propagating at rates unheard of even a few years ago. A cross-site scripting worm shut down MySpace.com, the 32-million user social networking site for 24 hours. The lost revenue and customer confidence were only part of the impact. It served as a wake- up call for the industry. Once identified, cross-site scripting is easily eliminated from a site. The trick is to know that it’s there.

7. Websites Accepting Credit Cards Need Web Assessments for Industry Compliance The Payment Card Industry Data Security Standard (PCI), co-developed by VISA and MasterCard, is designed to ensure the security of cardholder data across its merchant websites. PCI defines a set of requirements for how cardholder information is to be protected and how compliance is to be assured.

PCI requires merchants to have their publicly facing networks and websites tested every 3 months by a certified vendor. PCI compliance assures merchants and the credit card brands that no serious vulnerabilities are present and consumers can shop with confidence.

Even if your company does not retain cardholder data, the standard applies. Most likely, you are guarding sensitive customer information like user names and passwords, social security numbers, healthcare information, etc. The price of non- compliance can be steep, ranging from large fines to revocation of VISA or MasterCard privileges. Imagine the devastating impact on an e-commerce website that can no longer accept VISA or MasterCard payments.

C o p

y

r i

g h t

©

2 0 0 6

w h

i

t e h

a t

s e

c

u

r i

t y

- www.whitehatsec.com

Ten Things You Should Know about Web Application Security !

!

!

!

Page 6

8. All Software has Flaws

The awful truth is that all software has bugs and all systems have weaknesses. This is the reality of software no matter how robust our architecture designs, no matter how intensive our quality assurance process. Even Microsoft’s “Trustworthy Computing” and Oracle’s “Unbreakable” campaigns have been unable to achieve anything close to 100% secure code.

Given that, expect your custom web application code to have vulnerabilities.

not the problem. The issue is to be aware of and repair those vulnerabilities before an incident occurs. We advocate using tools to assess your web applications throughout the development cycle. Source code scanners can be very helpful to developers to identify specific problems.

That’s

The key is to understand that these tools are only valuable in conjunction with a security oversight program for production web applications. WhiteHat’s customers are among the most security-conscious enterprises in e-commerce, financial services and healthcare. They understand that even the most diligent development team can produce vulnerable code. The mistake many companies make is to expect the opposite and jeopardize their security.

9. Resolving Web Application Security Issues Requires Updates to Custom Code

While on the surface, everyone understands that network vulnerabilities differ from web application vulnerabilities, it becomes even more apparent when we examine the work required to remediate them. Most security professionals are familiar with the patches available for network vulnerabilities. However, a key difference in web application security is that each vulnerability fix requires updates to custom code. And, continuing with this line of thinking, it follows that each repair requires a code push that could introduce another vulnerability. So, while there may be fewer web application vulnerabilities, the means of remediation is more complex. Therefore, it is imperative to continuously assess the impact of each fix to maintain secure applications.

10. Comprehensive Assessments Require Scanning and Expert Testing Methodology As mentioned earlier, the Web Application Security Consortium has established a threat classification of 24 classes of web application attacks. These are the means that hackers use to access corporate web applications every day. IT security teams need a consistent flow of information to assess their risk posture and successfully defend against attacks.

The best way to obtain that information is to conduct comprehensive assessments of all web applications as often as the code changes. For WhiteHat customers, that is typically once a week. It is also critical to understand that no scanner can identify all 24 classes of attack. Scanners can find technical vulnerabilities, those coding errors that can enable attacks like SQL Injection, cross-site scripting, and others. However,

C o p

y

r i

g h t

©

2 0 0 6

w h

i

t e h

a t

s e

c

u

r i

t y

- www.whitehatsec.com

Ten Things You Should Know about Web Application Security !

!

!

!

Page 7

logical vulnerabilities, those errors that require a contextual evaluation, and manipulate application business logic resulting in false account creation, user impersonation and unauthorized funds transfer, among others, require a security expert for validation. These logical flaws include insufficient authorization, insufficient authentication and abuse of functionality. The most effective method for identifying both technical and logical vulnerabilities is the combination of automated testing and expert analysis on a continuous basis.

Conclusion

Of course, there are hundreds of things to know about web application security, not ten. We’ve illuminated ten points to assist companies in creating a web application security strategy that works. Whether a company is evaluating web application security for the first time, has had one-time assessments performed by consultants, or uses a web application vulnerability scanner, the keys to effective web application security are comprehensiveness and consistency. To address the issues discussed in this white paper, the security and development teams need to be able to identify vulnerabilities in development and production and fix them efficiently.

WhiteHat Security is the first and only company that provides a cost-effective, comprehensive, timely and accurate solution for web application vulnerability assessment and management. WhiteHat Sentinel, our flagship service, is the only solution today built to scan production websites, the place where hackers enter a company. No investment in hardware, software or personnel is required. WhiteHat Sentinel offers continuous website assessment to ensure maximum coverage, identifies 50% more vulnerabilities than scanning tools to ensure comprehensive assessments, and verifies all scanning results to eliminate false positives and provide only actionable information to customers. WhiteHat Sentinel enables companies to find the holes in their websites before hackers do.

###

About the Author Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security, where he is responsible for web application security R&D and industry evangelism. As an industry veteran and well-known security expert, Mr. Grossman is a frequent international conference speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites

FOR MORE INFORMATION ABOUT WHITEHAT SECURITY, PLEASE CALL 408.492.1817 OR VISIT OUR WEBSITE, WWW.WHITEHATSEC.COM

C o p

y

r i

g h t

©

2 0 0 6

w h

i

t e h

a t

s e

c

u

r i

t y

- www.whitehatsec.com