Dr. Nick: "With my new diet, you can eat as much as you want, any time you want!"
Marge: "And you'll lose weight?"
Dr. Nick: "You might! It's a free country!"
Dr. Nick Riviera (The Simpsons)
A common approach to vulnerability assessment (VA) is going after the so-called “low-hanging fruit" (LHF). The idea is to remove the easy stuff making break-ins more challenging without investing a lot of work and expense. Nothing wrong with that except eliminating the low-hanging fruit doesn't really do much for website security. In network security the LHF/VA strategy can help because that layer endures millions of automated and untargeted attacks using “well-known” vulnerabilities. Malicious attacks on websites are targeted using one-off zero-day vulnerabilities carried out by a real live adversary(ies).
Let’s say a website has 20 Cross-Site Scripting (XSS) vulnerabilities, 18 of which classifiable as LHF. Completing a LHF/VA process to eliminate these might take a week to a month or more depending on the website. By eliminating 90% of the total issues, how much longer might it take a bad guy to identify the one of the two remaining XSS issues they need to hack the site? An hour? A few? A day? Perhaps a week if you’re really lucky. A recent thread on sla.ckers.org offered a perfect illustration.
Someone said vulnerabilities in Neopets, a popular social network gaming site for virtual pets, were hard to come by. The first question was who cares about Neopets? The answer was it has millions of players and currency with monetary value. Through my browser I could almost hear the keyboards as the members raced to be the first. A dozen posts and 24 hours later a XSS disclosure hit. I didn’t bother confirming. sla.ckers.org has already generated over 1,000 similar including several in MySpace, so it wouldn’t be out of the ordinary. However, these are also not the guys we need to be worrying about.
The real bad guys are after the money. They have all day, all night, every day, weekends and holidays to target any website they want. In the above example, we were just talking about some silly gaming site. What if the target was something more compelling? Think the real bad guys will be so nice as to publish their results? They’d bang on a system 24x7 until they got what they wanted and happily be on their way. Reportedly the group that hacked T-Mobile and Paris Hilton’s cell spent more than a year targeting the system.
The point I’m trying to make is if your going to spend weeks and months of time finding and fixing vulnerabilities make sure the end result protects you for more than a lucky week. Sure going after LHF is better than nothing, but if you’re a professional responsible for security, that’s the last thing you want to tell your boss your VA strategy is based on. The strategy you want is comprehensiveness. Push the bad guys away for months, years, or hopefully forever.