Even my favorite small sushi shop has a website with an online ordering capability. It also has a blog with news, events, and recipes and an option to subscribe to the newsletter.
Out of curiosity I took a look at the web page source. The site is developed using Asynchronous Java and XML (AJAX), one of many free open-source AJAX scripts for web carts and blogs on the Internet. A small local web design company developed the website and the design is contemporary and minimalistic just like his sushi shop.
[Why the state of application security is not so healthy]
When considering security, the web developer could have turned to the Open Web Application Security Project (OWASP), which has published the testing guide for AJAX vulnerabilities. The guide outlines nine categories of vulnerabilities to be tested. However, that's not a simple task for the amateur web developer.
Questions spring to mind, such as has the developer tested the application for vulnerabilities? The sushi chef has installed an anti-burglar alarm and cameras in his shop. But all shops in the neighborhood have some anti-burglar systems. Burglary happens in the area and installing alarms is standard cost of doing business. Alarms and cameras in the shop cannot prevent burglary. They are deterrents. However, the local law enforcement team is tasked with preventive measures against burglary. They patrol the neighborhood, organize awareness campaigns, and collect intelligence on threats.
Cross-site scripting and SQL injections are less obvious risks for a small shop owner. Still they could lead to a breach of customers' credit card details and personal information. To be sure that his website is secure sushi chef must have it tested and implement preventive measures. But how much is he ready to spend for such a test? A CISO of a large company may be responsible for several hundred web applications. He may ask: which applications are the most critical? Does it mean that less critical applications should not be tested against vulnerabilities? How much budget is a CISO ready to allocate for web application security? How to spend that budget wisely and yet to feel secure throughout darkness of the web?
Information: The crown jewel
All components of information systems are vulnerable to exploits. However, components directly accessible from the internet are exposed to external threats and therefore are more likely to be exploited. If exploited, internal system components provide direct access to higher levels of privileges such as to databases and the file system. They are protected however by rings of security controls or what security industry calls defense in depth. Web systems are on the enterprise frontline. It is, therefore, unsurprising that other perimeter systems are less frequently exploited.
Network devices such as firewalls are designed to segregate networks. And they perform that role effectively. Because of their specific scope of functionality they are designed and tested in a robust way. In addition, they are equipped with attack detection mechanisms and designed to fail safely. Only determined attackers with specific objectives would spend time and effort to attack firewalls.
On the other hand, web applications are tools for disseminating information, for communicating with customers, for selling goods and services, for building corporate identity and image. They are designed for dynamic aggregation of information, for linking users to databases, for interconnecting businesses, for collecting data. As such they are systems components closest to the corporate crown-jewel: information.
As companies and individuals rush to connect and disseminate information, ever more web applications are being developed quickly and with limited resources. Although everyone admits that it is important, information security is not the top priority when planning time to market for their products and services. Business owners' objectives are to minimize expenditure and this frequently results in security risk acceptance, or even ignorance.
Managing Information security risks represents the cost of doing business. Moreover that cost is often hidden and the impact is hard to measure. Data owners simply want to share and monetize their data. They are not motivated to think about what-ifs in security terms unless forced by laws and regulations, so they end up developing beautifully designed web applications that attract a mass audience, and are rich with features and functionality that can track and collect massive amounts of marketing data that helps companies to understand consumer demand.
Web applications help visitors find information on products, services and special offers, compare product features and prices, check feedback from other customers, make purchases with different payment options and track delivery of their packages. And users can do that from any device anywhere in the world. So can hackers in search of riches and weaknesses...
Protecting the crown jewels
There are many possible areas where weaknesses could be hidden. OWASP lists the top 10 web application weaknesses and how they evolve over time. It is of no surprise that data injections have topped the charts for a long time. Data injections are weaknesses in application logic. They are the result of an inability to predict all possible behavioral aspects of users when entering or searching for data.
There are of course methods for secure coding that provide best practices for mitigating such risks but they require skills and time to implement. Moreover, with every change to the underlying business process there is a change in the business logic that requires re-testing. If repeated testing would be effective with the automated scanners it would facilitate the task but for that human intelligence is indispensable. Code analysis can assist in identifying possible vulnerable areas. Ethical hacking can verify that vulnerability exists and how difficult it is to exploit injection vulnerability.
[Slideshow: 5 steps for application security]
Fuzz testing tools, such as free extension for Firefox browser ImmuniWeb Self-Fuzzer (real-time fuzzer) can analyse many possible data entry combinations during the short period of time. That process is similar to brute forcing password combinations and cannot compare to an intelligent attack. Attackers can put more logic into their attacks after reconnaissance or collecting information about the target. They can easily learn about the profiles of target company users and significantly reduce the scope of attack. Their data searches will resemble those of legitimate users.
Such interaction with web applications can hardly be identified as potentially malicious. It would not be detected by log analyzers and application firewalls. What remains to attackers is to find vulnerability such as buffer overflow on the web content management system or the underlying database and that would open the doors to the crown jewel: corporate information.
Automated web application scanning is very useful for an initial information security assessment. There are many scanning tools on the market. Some are even free including OWASP Zed Attack Proxy (ZAP). It is simple to use but web application security experience is required in order to produce some meaningful results. Self-Fuzzer and ZAP are important tools within my web application security toolbox. I use them regularly to perform the initial phase of a corporate web applications security assessment. It helps prioritize web applications in terms of potential vulnerabilities and their criticality. It results in defining the scope for further more in-depth security assessments and allocation of the security budget for preventive, detective and security monitoring activities.
Like all automated scanners, ZAP cannot detect logical vulnerabilities. OWASP recommends performing manual penetration tests to find all types of vulnerabilities. Manual penetration testing is time consuming and requires specific skills. Consequently it is an expensive consultancy service. It is therefore quite unlikely that my favorite sushi chef would authorize penetration testing to assess the security of his website. However, there is solution even for small e-commerce site like his. Personally I was unaware of a hybrid approach to web application security assessment until 2013 when High-Tech Bridge, one of our penetration testing providers, offered to test ImmuniWeb. ImmuniWeb is an on-demand web application security assessment solution that combines automated scanning with manual web application penetration testing for an affordable price. Moreover, ImmuniWeb could be used to assess websites hosted with Cloud Service Providers, as it does not perform any dangerous security checks and does not affect the web server or network equipment performance.
For large companies with hundreds of web applications such hybrid assessment helps when expanding the scope of assessment to cover even applications estimated at medium or lower risk. CISOs finally have a solution that combines strength of technology with human skills and intelligence to more accurately assess potentials to exploit application vulnerabilities.
OWASP top 10 lists several other vulnerability classes that are difficult to detect with automated scanners. Cross-Site Scripting (XSS) is one of those. Attackers may use this technique to hijack user sessions and redirect them to a malicious site where users maybe tricked to enter their credentials or payment details. OWASP highlights that it is particularly difficult to detect XSS vulnerabilities using automated scanners on websites based on technologies such as Ajax.
One of the CISOs' nightmares is a potential ruin of corporate reputation. Imagine a web page with the corporate logo at the top and usual legal disclaimers at the bottom, and data input dialog boxes asking visitors to enter their login IDs and passwords. All that with the company's valid Internet address in the address bar. The main issue is that the prompt for user credentials is not passing that information to the corporate web application but to a malicious site. It is very unlikely that website visitors would inspect page source code to identify potential risk before entering their credentials.
[Merchants, buyers on Dark Web get their own search engine]
Thousands of cases were published with such exploits. For example, 860,000 Apple fan accounts were compromised as a result of an XSS exploit on the MacRumors forum. With limited in-house manpower it is difficult for me to dedicate resources for continuous assessment of such a risk on all corporate web-based system. To compensate such restriction I ensure that most of web-based systems are included in continuous security assessment using hybrid scanners.
Insecure Direct Object References are vulnerabilities that may allow users authorized to access certain data to modify search parameters and access restricted data. Automated scanners cannot differentiate what is safe from what is unsafe.
A human penetration tester may identify a potential vulnerability that could lead to a data confidentiality breach. This kind of vulnerability sometimes slips through security tests even for large companies and results in privacy breach of 100,000 customersix. Missing Function Level Access Control is a similar type of vulnerability also related to the application logic and therefore unlikely to be identified by automated scanners. Instead of providing unauthorized access to data directly this vulnerability allows accessing application function that is not authorized for the current user's role.
An example for the small online shopping website could be getting access to the reimbursement approval function. Implementing a change in application logic to mitigate such a vulnerability should follow secure software development life-cycle best practice which recommends performing security assessment after every major change. It is not uncommon that fixing one vulnerability creates another one. Critical Java vulnerabilities discovered last year were repaired by an out-of-band patch that introduced new vulnerabilities. If CISOs have budget for another penetration test after the implementation of a remedy and before putting the web system back to production, they would sleep much better at night. With hybrid vulnerability assessment, initially introduced to the market by Swiss company High-Tech Bridge with ImmuniWeb SaaS, this finally seems feasible.
Robots vs humans
One guardian of the crown jewel, the web developer, must reduce possible attack scope to an acceptable risk level. When fully focused on application design it is hard to imagine how creative attackers may be. For ethical hackers though that is their day job. They search through the dark web to understand the logic of attackers, to identify the tools that attackers use, which vulnerabilities attackers discuss and what skills attackers look for. They are just like undercover policemen patrolling streets, bars and nightclubs and collecting intelligence about underground activities. While automated scanners could point to a potential vulnerability, ethical hackers also search the dark side of the web to find traces of that vulnerabilities are being exploited. Two automated scanners that I have tested from BeyondTrust and Qualys detected an XSS vulnerable page on the target web site. However, the code provided in the assessment report was not easily reproducible.
It required skills and time of an engineer from our information security team to verify if that XSS vulnerability is exploitable and how difficult that would be. For an organization with hundreds of web sites and thousands of web pages, manual verification of each XSS vulnerability would require significant resources. For a small company without specific internal skills for such verification it would require contracting expensive consultancy. ImmuniWeb assessment detected more web pages vulnerable to XSS on the same target web site that were completely missed by automated scanners. More importantly, the proof-of-concept scripts provided in the assessment report are easily verifiable even for a non-technically savvy person. It is a matter of clicking on a link in the report that would open the vulnerable web page with a pop-up message to illustrate how the exploit may look like. ImmuniWeb assessment goes one step further. It also provides information on where and when vulnerable web pages were listed on hackers' forums. There is no need to highlight the criticality of the vulnerability and importance of fixing it when one is presented with such a report.
[4 key elements for proactive application security]
Vulnerabilities represent only one part of the risk. Threats are the other component within the risk equation. External threats to web applications are on the rise and represent the top priority of information security managers as reported by the OWASP CISO Survey. While there is a long list of tools on the market to assist in identifying vulnerabilities nothing can yet replace a human in identifying actual threats. With data breach reports that point to exploits that go undetected for years it is clear that better threat intelligence is needed. Security in-depth is important just like anti-burglar alarms but human generated reports like the Hacking Resource Monitor module of ImmuniWeb introduces another dimension to the perception of risk. It definitely makes me sleep better at night. I will also mention this to my sushi chef when I stop by his shop next time.
Viktor Polic (CISSP, CRISC, CISA) is Chief Information Security Officer at a specialized agency of the UN.