Basic security hygiene like identity and access management can solve a lot of network-related security problems. However, software vulnerabilities that come from development slips are more subtle yet have the same outcome: Data theft.
In its annual Top 10 list of application vulnerabilities of 2019, WhiteHat Security says it wants to show how even well-known products, like Google’s search page, can have bugs that could lead to intrusions.
“Even companies you think are secure, there’s always one level deeper that you can dig if you really look for them,” Bryan Becker, WhiteHat’s product manager, said in an interview.
Some of them are so obvious in hindsight, Becker said, such as the cache vulnerabilities on the list. Researchers used old techniques to find something new.
These are not the most commonly exploited application vulnerabilities, he added, but the ones discovered in 2019 that WhiteHat found most interesting.
How to help developers write secure code
One of the biggest lessons, he said, is that software developers and security teams have to work closely.
“Developers have challenges,” he said, “and these are shared with the security team. Developers have the challenge of writing secure code without actually knowing what that means, and the security team has the challenge of helping them know what that means and training them . . . but there are so many layers you can’t solve it in one easy fix.”
Among the vulnerabilities are:
- Cross-site scripting (XSS) in Google Search: “It’s a vulnerability on Google, which no one expects to find,” Becker said, given the security resources the company has. This was, he admits, “a very obscure finding,” but clever. WhiteHat says the discovery of this bug highlights the importance of performing continuous testing on code staff may feel is already secure.
- Cross-site leaks: Briefly, a vulnerability in cached information. The blog notes this is another attack that is not new but gaining momentum with HTTP caching being attacked from all fronts. While there are decent preventions against this attack, WhiteHat says, most of the internet is still prone to it. “Because cross-site leaks are used in various ways, make sure to always check for old attacks when deploying new code.”
- DOM Clobbering Gmail: Using a well-known technique known as “DOM Clobbering” a researcher found a way to attack Gmail though a feature that makes it possible for emails to include dynamic HTML content. One solution: Include CSP headers. “At Whitehat, we still find plenty of websites that do not include CSP (content security policy) headers in code.” CSP is a small step towards building a secure environment that can net powerful returns, says the blog.
- Poisoning a cache to initiate a denial of service. “Ensuring that caching is secure can be difficult for companies,” says the blog. Becker’s advice to security teams for improving code is to “just be friends with the developers. If you can talk to each other and share ideas. Everything else seems to flow naturally.”
The security team will give lists of the vulnerabilities it finds, Becker said. But should also say, ‘Here’s the status of your team today, here’s where we want to get to in the next six months, here’s how we’re going to help you get there.’
“Make it a team effort.”