Everyone, from IBM to the IC3, in the 2008 security trends and reporting all agree, the Web as you know it was the single largest avenue of attack in 2008. More than a million Web pages were compromised, leading to the spread of Malware, personal information loss, and a fall in reputation for some businesses.
Web Application Security is ganing more of the limelight as Web-based attacks grow. (IMG:sxc)
“It’s unanimous. Web application security is the [number one] avenue of attack according to basically every industry data security report available,” wrote Jeremiah Grossman, Chief Technology Officer of WhiteHat Security, in a recent blog post.
“This is in addition to reports specifically focusing on custom Web application vulnerabilities (WhiteHat Security, WASC, Accunetix). SQL Injection and Cross-Site Scripting are routinely cited as the biggest issues, the ones we can’t apply patches to defend against.”
The reports Grossman mentions, like those from Sophos, IC3, IBM, and Websense, all point to the same fact: Web pages, both legitimate and malicious in nature, were the fastest way to exploit vulnerabilities and people as a whole in 2008. This trend is sure to rise in 2009.
“The scale of this global criminal operation has reached such proportions that Sophos discovers one new infected webpage every 4.5 seconds – 24 hours a day, 365 days a year,” Sophos reported in its year-end summation.
“Web insecurity, notably weakness against automated remote attacks such as SQL injections, will continue to be the primary way of distributing web-borne malware. Cybercriminals can then send innocent-looking Spam which link to legitimate, but hacked, Web pages. These hacked sites link invisibly to malicious content.”
Just this week alone, Websense reported compromises of two different Chinese search portals. Both portals, China.com and Sohu.com, each legitimate in nature, were exploited to alter the code of the page, embedding malicious code used to attack site visitors.
Adding to this is a discovery on Monday that a famous Chinese University was compromised in a similar fashion.
“Peking University, one of the most famous and highly-reputed universities in China, has been compromised with malicious code. The Web site has been injected with JavaScript embedded in a number of malicious Iframes, leading to exploits such as Microsoft AdoDB / XML HTTP (MS06-014), RealPlayer, Thunder Xunlei, and Global Link Lianzong,” said Websense.
The root of all evil in the case of each of the Web compromises are the same and often overlooked flaws in Web Application development. Cross-Site Scripting and SQL Injection attacks take advantage of weak code.
Because these flaws exist in all types of development frameworks, it is almost impossible to work them all out ahead of time unless you actively hunt for them or code in such a way that they are eliminated from the start. However, because most businesses and application developers merge existing frameworks and new code into the same packaged site, these flaws are often discovered only after an attack has taken place.
This is where WebAppSec (Web application Security) finds its true calling. Hardware appliances, SASS offerings, or skilled professionals, tackle the developed Web code and hunt down the problems before the criminals do.
Perhaps in 2009 you will see larger spending in technology designed to mitigate Web-based compromises. Grossman would be happy to see that, as would several other vendors and professionals.
Yet, big business is the key factor here, unless they spend the money on the services offered by WhiteHat and other vendors, WebAppSec will still be seen as another expensive investment that CFOs, CIOs and CEOs cannot justify.
The Web browser aspect is another issue. Many point out that if the browsers available today were more secure, then the issue with Web-based compromises and attack vectors would be moot. With that said, Grossman put it best after posting his thoughts in a November blog entry.
“In my opinion, the last security-mile won’t and can’t be solved efficiently by the browser vendors, nor should we expect it to. I fully appreciate that their interests in building market share conflicts with those security features experts request, which by the way never ship fast enough,” he wrote.
“To be fair, there really is no way for browser vendors to make the appropriate amount of security for you, me, or everyone in the world while at the same time defending against all of the known cutting-edge attack techniques...”
Comment on this Story