Search This Blog

5 Threats that make your Website Vulnerable

Webmaster dilemma : having to choose between “easy and quick developments” and security ?

« 75% of malicious attacks on the web take place on the application layer (Gartner) »
«... The evolution of web applications has been characterized by a relatively immature level of security awareness ... (Deloitte and Touche) »

Websites create value. Whether you are an e-merchant, an administration or a car manufacturer, your core values (accounting, supply chain, customer data, business info, …) are processed, stored and communicated via your internet applications and more generally thanks to your IT system. Web applications include of course web sites as well as business and logic internal applications, intranets, extranets, portals … It is a fact : more and more companies and administrations tend to ‘webize’ their IT infrastructure.

But there are counterparts : being open brings dangers and threats that are often underestimated …

Web protocols are not secure

«More than 80% of all malware that emerged in the past year focus on application-level vulnerabilities (various sources, 2006). »
« In June 2006, 92 SQL injection and 34 cross-site scripting (XSS) new vulnerabilities were recorded on our database (Secunia) »

These real threats result in : private data theft, illegal use of your website (for instance to host forbidden contents or spam relays), website defacement, e-commerce website abuse, unavailability, …

Major threats include :
  • Cross-site scripting (XSS) - arbitrary code injection in scripts
  • SQL injection - reading or modifying databases
  • Command injection - unauthorized command execution
  • Parameter/form tampering - sending false arguments to the application
  • Cookie/header tampering - HTTP fields use to send false values to the web server
  • Buffer overflow - overflowing buffer memory
  • Directory traversal/forceful browsing - access outside the application
  • ·Attack obfuscation\' - attack masquerading, for instance via URL encoding
Very well known security principles are confidentiality, availability, integrity and auditability. HTTP and HTTPS protocols give poor result on these aspects. Web protocols hardly authenticate, only partly guarantee confidentiality and integrity, … And malicious SSL traffic will remain illegitimate when processed by your website !

Keep in mind that an URL sent by a browser is a command line to your web server : for instance an URL generating an SQL command or activating a CGI script.

At last, web protocols do not impose input validation, this is the major cause of their ‘insecurity’ !

Coding secure web applications is a hard work

« For far too many development professionals, Web application security only consists of producing applications that are functional and stable, not building hacker protection into the code or checking for SQL injection vulnerabilities (Spi Dynamics) »

Web protocols are not secure by default. But web application developers could strongly improve security standards with good coding principles. As M. Andrews and J. Whittaker mention in their Guide to Web Application Security : “If developers only validated their inputs to what they are expecting to be given, rather than attempting to filter for malicious inputs (if at all), then 80-90% of web application vulnerabilities would go away. SQL Injection -- gone, XSS -- gone, parameter tampering -- gone.”

Unfortunately, from a software vendor’s perspective : launching a new product on time is more important than launching a secure(d) software !

The limits of traditional tools

«According to CSI/FBI 2006 study :
97% of interviewed companies and administrations were using an antivirus, 98% have a network firewall, 69% have intrusion detection systems. However ... 65% of these organisations have undergone a viral or spyware attack, 32% have experienced unauthorized access to their internal data and even 15% have suffered from network intrusions ... »

Network security is not web application security !

The perimeter network firewall can not block all flows and attacks. Indeed, it usually lets http flows (ports 80 and 443) come into company\'s networks as it is usually needed for communication with outside world. As this specific port is open, more and more applications are using this open door, for instance, VoIP as well as peer to peer. This http port becomes a real toll-free motorway to penetrate internal network. More and more applications (including suspicious ones) are encapsulated into http traffic. This is the “everything over HTTP” phenomenon !

Comprehensive IT security requires a layered approach

«Two very old adages in security are "least privileges" and "defense in depth." The idea is to only give software enough privileges to get the job done, and not to rely on only one security mechanism. M. Andrews and J. Whittaker, Guide to Web Application Security »

Although security tools have their limits, they are usually necessary to make IT security infrastructure stronger.
Security experts refer to IT security infrastructure as “rings of protections”. Two very well known and common tools are antivirus and network firewalls. As regards with web security, we have seen that web traffic penetrates IT systems with no real opposition. That is why web application firewalls become indispensable. A web application and a web site need its ‘bodyguard’, as web technologies become increasingly critical and exposed in modern IT infrastructures ! In late 2004, a Red Herring journalist mentioned : "Web-app security will be just like anti-virus was 10 years ago. In five years, it will be a must-have.”.

Conclusion : web application firewalls act when conventional tools show their limits

Web application firewalls are an important building block in every HTTP network. First of all, they protect the most exposed part of your IT assets : the website. Web applications need their [intelligent and self-learning] bodyguard. When we say bodyguard, we mean a solution which ‘understands’ the application, taking into account its behavior, which is close to it (ie directly on the web server) and can ACT immediately and consequently (counter-measure). At the same time, it has to be discrete and stick to business logic. It is the “last rampart”, the ultimate protection !


Post a Comment