Web Applications still posing risk while businesses shift funds elsewhere

Web Applications are quickly becoming the redheaded step-child of the business world, based on a recent study from the Ponemon Institute and practical lessons by researcher Rafal Los. While the idea that WebAppSec is another layer of consideration for business continuity is nothing new, actually making it happen is another matter entirely.

Practical lessons

Previously, Rafal Los talked with us about WebAppSec (Web Application Security) where he explained a few situations where executives and developers had a reality check and watched as their applications exposed the figurative keys to the kingdom, both by handing over company information and allowing a network wide compromise by the Zeus family of Malware. [Story: The reality of Web development and security]

Last Friday, during a presentation titled "Dr. Evil’s Guide to Web 2.0" at Thotcon in Chicago, Los used a free tool called SWFScan, which is offered by his employer HP, to examine Flash-based applications. The tool allows anyone, legit security professional or criminal, to download and decompile a given Flash application and examine it for holes or information.

SWFScan isn’t the only tool of its kind, but it served its purpose in the talk. Those using the tool in the live examples didn’t simply discover flash-based application bugs, but another level of vulnerability – sensitive information simply hardcoded into the application itself.

A personal accounting of the talk, given by Christopher Kois, explains further.

“Rafal did a good job in pointing out that the majority of people using Flash are marketing people with just enough technical knowledge to use Flash to create web sites. The flash tools make it very simple for them to drag and drop objects on a screen, while not paying any attention to or keeping in mind any potential security vulnerabilities of allowing the client access to the compiled code,” Kois wrote on his blog. [Link]

“I was in the audience sitting very close to a guy who pointed out a website where a login and password with what appeared to be Administrative credentials could clearly be read in the decompiled flash code.”

Another example from the same talk showed a popular site making open-ended database calls in clear text via HTTP. Los explained in a blog post on the issue that by decompiling the Flash application, it was trivial to follow the code and enumerate all the data in each of the five databases discovered. [Link]

Another challenge that developers will face in the coming months are the new Flash Shared Objects (FSO), also known as Flash Cookies, Local Shared Objects, Flash Player Local Shared Objects, etc., implementations from Adobe with the pending release of Flash Player 10.1.

As part of their plans for Flash Player 10.1, due out in the first half of 2010, Adobe will deliver on promises to eliminate privacy concerns by blocking FSO use for persistent identification. Ori Eisen, chief innovation officer at 41st Parameter, noted that this will have a significant impact on most online fraud prevention efforts.

However, at the same time, when the banks move to recode security measures in their Web applications, without proper consideration, they can inadvertently expose users to risk from not only fraud, but other attack vectors.

While this example of issues in FSO usage is aimed at banks, they are not the only ones who take advantage of Flash in such a fashion, these changes will impact all Web applications, and require that they be considered in the development and security cycle.

WebAppSec tossed to the side

Los’ examples, both in the previous article and this one, are just a small sample of the issues that can plague Web Applications. However, despite those, businesses are more concerned with other things, and spend their IT dollars accordingly.

Commissioned by Imperva and WhiteHat Security, a study [Link] from the Ponemon Institute interviewed 638 IT security practitioners, and noted that while they consider theft of data to be the biggest threat to their websites, many think that their respective organizations fail to view Web security as a strategic initiative.

Of those who took part in the study, 70-percent said that the organizations they work with do not allocate sufficient funds to WebAppSec. Most of the IT funding for security goes towards network protections.

In addition, 55-percent of them say that developers are simply too busy to respond to security issues. That last percentage helps shed light on the line of thought that WebApp development and WebAppSec are two sides of the same coin.

“Applications are getting too complex,” Los explained to us during an interview on a related story. “Even if the development teams do know how to code securely, there is too much code to keep track of.”

The average Web application of medium complexity has several million lines of code. “You can’t audit this, let alone secure it,” he explained.

Sometimes development teams do have security people as part of the mix. However, more often than not they are QA staffers who have the added task of security testing. While they may be enthusiastic, and knowledgeable of several attack methods and mitigations, they are not solely focused on WebAppSec. Eventually they will miss something through no fault of their own.

“It takes somebody that is more than a security enthusiast to test and check the applications properly. Most companies don’t have that,” Los said.

In the study, the Ponemon Institute concluded that corporate security should join forces with business leaders to make WebAppSec an integral part of business operations.

“In addition to a serious misalignment between the risk to Web application security and the budget allocated to address the risk, we also found that developers do not have an incentive to respond to vulnerabilities in a timely fashion. For many, security is not considered as much a priority as other responsibilities they have,” the conclusion noted.

Developers are paid to code, they are given a project and expected to complete it on time and under budget. While security is important to those who code for a living, they can only secure so much at a time, and they value their jobs more than they do spending days running security audits.

It’s up to the business leaders to help this, but budgets alone won’t solve the problems. You can’t fix everything by tossing money at it.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. The Aventador LP 700–4  has a 6.5 liter V12 that will go 0–60 mph in  2.9 seconds and take you all the way to 220mph and maybe beyond.Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]