Tuesday, July 11, 2006

Securing 88,166,395 sites

According to Netcraft's July 2006 Web Server Survey there are 88,166,395 sites, an increase of 2.87 million from the month of June. That’s an astounding 95,000 new sites per day! I’ve frequently discussed that roughly 8 in 10 websites have serious vulnerabilities. Talk about a hacker paradise. Scammers, phishers, carders, blackhats (not the conference), or lets just call them criminals know this well. They are reaping the rewards at our expense. With the help of disclosure laws, its no wonder everyday reports break about new website hacks. We know all this stuff already, but what we can do about it?

What are we going to do about the security nearly 90 million websites?

Some say, "security in the Software Development Life-Cycle (SDLC) will save us." A development process of creating solid code from the beginning. It has the benefit of producing quality code and that has less bugs. Less bugs = more secure. More secure = harder to hack. Harder to hack = good. No argument there. Though we have to be pragmatic. Planning to be bug-free and requiring developers to write 100% secure code is not a reasonable request. It doesn't mean they don't want to, its because its REALLY REALLY hard, maybe impossible. Furthermore, proving if code is bug-free (secure) is impossible. This is one of those undecidable halting problems.

Remember we’ve been dealing with Buffer Overflows for 20 years (maybe more) Will it be any different for Cross-Site Scripting? I don't think so. Lets face it, no matter how hard we try, software will always have bugs and therefore security vulnerabilities. To say nothing about the fact we'll NEVER go and recode all 88,166,395 websites. That’s just a plain silly assertion people make. What we really need to know is WHERE and HOW our existing websites are vulnerable. And also stay on top of the daily code updates. Then we can make intelligent decisions and measure our success.

Secure code is one thing we can do, another is implementing a strategy of defense-in-depth. One in which Web Application Firewalls (WAF's) are a part of. I routinely recommend ModSecurity for anyone using Apache (it’s on every one of my installs). WAF’s have the benefit of protecting web applications that may or may not be vulnerable to something. Sure, they are not perfect and have many negative side effects. Though when implemented properly they provide that extra protection that could very well keep you out of the headlines.

In any event, I’ll continue recommending web application security assessments, otherwise how do you know if your website is secure or not? It could be when some web hacker does it for you by alerting the media.

No comments: