Web applications: Easy prey for hackers

Web applications are usually exposed on the Internet and offer an easier prey for attackers, who can develop tools that mimic legitimate users behavior in order to scan the site for vulnerabilities without increasing any suspicious activity levels.

The latest IBM ISS X-Force 2009 Mid-Year Trend and Risk Report confirms that “The most prevalent type of vulnerability affecting servers today is unquestionably vulnerabilities related to Web applications.”

The large amount of vulnerabilities found on Web applications, and the fact that detecting and using those vulnerabilities is easier since most Web applications are exposed to all users, lead many hackers to concentrate in mastering Web applications hacking. If in the past most hackers were teenagers that tried to impress their computer buddies by hacking into a soft drinks company’s web page and placing the competitor’s logo on the web page – today’s hackers are professionals who specialized in hacking web application in order to gain profit.

The recent Heartland Payment System breach, which may have compromised millions of credit and debit card transactions, is one recent example of experts using web application vulnerabilities to gain monetary profits. According to the Washington Post, most recent data breaches are done by organized crime. The Washington Post offers several examples including one of an organized criminal group based in Eastern Europe, which is believed to have hacked Web sites and databases belonging to hundreds of banks, payment processors, prepaid card vendors and retailers over the last year.

In addition, it is important to notice that Web related attacks are sometimes used as the preferred method of gaining access to the targeted organization private network. According to the Verizon Business report, “when hackers are required to work to gain access, SQL injection appears to be the uncontested technique of choice,” the latest Heartland breach where SQL injection was used in order to gain access to the Heartland datacenter network is a good example of that finding. Attackers that can exploit vulnerability in any web applications can leverage this vulnerability and install malicious software on servers. This software may gain the hacker full access to an entire private network. As a result, it’s important for organizations to secure all of their Web applications in order to prevent any breach into their datacenter.

But even though Web applications vulnerabilities are increasingly the favorite method of attackers, according to the IBM ISS X-Force 2008 Trend & Risk Report, 74 percent of the Web application vulnerabilities disclosed last year still had no vendor-supplied patch as of the end of the year.

Protect your data – Is your code secured?
The PCI (Payment Card Industry) Security Council suggests that organizations make sure that all Web applications developers write code according to pre-defined security guidelines, and it is advised that Web applications should be assessed for vulnerabilities during the development life-cycle. This guideline is good advice for organizations that want to protect their Web applications and is a requirement for organizations that should be PCI-complaint. Writing secured code and running security scans regularly on that code should always be considered as a best practice for created a better secured web site. A Web application that is coded without any security vulnerability completely can not be breached.

But achieving the goal of writing a complete secured code is not always a straightforward task. Software engineers like technical challenges and embrace new programming methodologies in order to master all kinds of performance optimizations. But in terms of security, most Web engineers just know it is out there. Yes, they have been trained to understand the importance of writing code that comply with security guidelines, but security is not their expertise and they prefer only to follow the guidelines given by the security experts.

This R&D view may or may not be the one that characterizes your organization, and running advanced security scans may reveal most vulnerabilities created by developers working quickly to finish a project, but before entrusting the entire web security on the Web engineers it is important to that the organizational culture is capable of supporting this type of commitment for the long run. Furthermore, if using third party web applications in the datacenter, it’s important to ensure that the developers of those applications not only have a good understanding of web security threats, but also have the discipline required to ensure that security related methodologies are enforced in their code.

The web hacker on the other hand is an expert on finding the right loophole to hack into a system. If the Web developer did not “close” all the security holes the Web hacker will find it. Hackers today are sophisticated and methodical when searching for Web vulnerabilities; those hackers are using automated toolkits in order to thoroughly scan asite for vulnerabilities. The mid-year IBM report states that hackers are even using botnets to seek out vulnerable Web sites and report their finds.

Protect your data – Let the Web security experts help
The PCI Security Council’s second option for securing a web site is installing a Web application firewall (WAF). A WAF product that is installed in-front of a Web application will monitor all of the Web application traffic and will detect & block “web attacks” as they happen.

By installing a WAF, it allows Web security experts to help protect Web applications. Leading WAF products are built based on the long and extensive Web security experience of their founders and security experts. As Web hackers master the ways of hacking into Web applications, WAF vendors master the ways of preventing those hackers from hacking. It is also important to know that WAF solutions are usually doing a great job in detecting and blocking the most common web attacks (including SQL injection and Cross Site Scripting) and in some cases this blocking functionality is provided out-of-the-box.

Assuming a company has an ADC (Application Delivery Controller) device running in-front of the Web application, there is a good chance that the current ADC solution is capable of also serving as a WAF. Enabling the WAF capability of the current, already deployed ADC solution will pave the way for protecting Web applications from attacks.

The best protection method?
In reality, the picture is not that clear and placing a WAF in-front of a Web application is not a silver bullet. For once, approving a budget for a new WAF solution is usually harder than approving a budget for existing resources running manual security tests and writing a secured code. Furthermore, WAFs are not always easy to configure and in most cases require understandings of the protected Web applications in order to provide full coverage.

If an organization considers itself secure, the best route is to follow the PCI Council advice that “the ideal multi-layered defense would include proper implementation of both options” (i.e. secure code and installing a WAF). But PCI also acknowledges that “the cost and operational complexity of deploying both options may not be feasible” – if the budget permits, start by installing a WAF to protect Web applications – now – because Web attacks are a current real threat and will only increase in the future. Creating the right security discipline and coding methodologies in R&D should be a task going forward since it can not be achieved in an instance.