Monday, September 25, 2006

Symantec and Mitre agree, its all about the web apps

The information security world is buzzing with web application security news. Headlines pour in daily about web worms, intranet hacking, JavaScript Malware, Hacking AJAX websites, XSS vulnerabilities published openly on major websites, and the open source WAF ModSecurity being acquired. It’s a lot to keep up with. Two years ago we were amazed to see an article a month, and if they were back-to-back we said, “look a trend”! Now today Symantec releases their Internet Security Threat Report for the first half of 2006, teeming with web application security data. Inside there is some highly revealing knowledge and I’ll quote some of the interesting bits relevant to our space.
  • Web application vulnerabilities made up 69% of all vulnerabilities this period.
  • Seventy-eight percent of easily exploitable vulnerabilities affected Web applications.
  • Symantec documented 2,249 new vulnerabilities in the first half of 2006. “… an 18% increase since in the second half of 2005.
This is huge and something the experts have been screaming about for a while. Not only do web application vulnerabilities represent the vast majority of documented isssues, they are also the easiest to exploit! The report then starts to answer some questions as to why.

The marked increase in the number of vulnerabilities can be attributed to the continued growth in those that affect Web applications.
The high number of these vulnerabilities is due in part to the popularity of Web applications and to the relative ease of discovering vulnerabilities in Web applications compared to other platforms. Additionally, Web applications generally have quicker release cycles than traditional desktop and server applications. This provides security researchers with a continually growing source of new applications to audit, particularly as, in many cases, Web applications do not undergo the same degree of quality assurance and testing as other applications.

More software, more vulnerabilities. Rapidly changing software, more vulnerabilities. No one checking for security, more vulnerabilities. Makes sense to me. The one thing left out is that web applications are where the money is. And as the report says, attacks are growing more targeted and financially motivated.

Web 2.0 security threats and AJAX attacks expected to increase.

Sheesh, can it get worse?

Symantec recommends that administrators employ a good asset management system or vulnerability alerting service and management system.

Tell them what they own and what risks are on the horizon.

Enterprises should devote sufficient resources to alerting and patch deployment solutions.

Yep, patch diligently.

If they are developing Web applications in-house, developers should be educated about secure development practices, such as the Secure Development Lifecycle and threat modeling. If possible, all Web applications should be audited for security prior to deployment.

Hey! That’s what I do for a living. WhiteHat Sentinel, continuous vulnerability assessment and management for websites. Thanks for the validation Symantec! :)

Symantec also recommends that before any Web service or application is implemented, it undergo a secure code audit to ensure that it is not vulnerable to possible attack.

This tip needs more clarity. Every business critical web application should undergo a source code review. To spot things such as backdoors, nothing is better, but the question is how often. Personally I think source code reviews should be performed before an initial website launch and between MAJOR updates. Any more becomes highly cost prohibitive and in my humble opinion, vulnerability assessment offer better ROI.


Anonymous said...

useful information blog,very good content.

Jeremiah Grossman said...

Thank you. :)