Given that corporate security is only as good as its weakest link, Web applications — arguably the weakest link — were the subject of a hacking workshop recently held in Toronto.
Covering topics such as cross-site scripting and SQL injection, Matt Fisher, a security engineer with Atlanta-based SPI Dynamics, showed attendees a hacker’s perspective of the soft underbelly of today’s Web presence.
On almost every Web site “there will be cross site scripting and SQL injection (vulnerabilities),” Fisher said. “Guaranteed.”
While the Web is a good delivery method for data, it is a difficult medium to secure, since many of the security holes need nothing more than a Web browser to exploit them, Fisher said.
Though vulnerabilities such as buffer overflow get a lot of media attention since they affect all the operating systems and applications that have them — if Windows 2000 has a vulnerability they all do — they are more difficult to exploit, Fisher added. In fact, of a room full of security people, only one person admitted to knowing how to craft one.
But Web applications can frequently be hacked by nothing more than right-clicking on a Web page, pulling out some badly written source code in the form of HTML comments and placing them into the address bar.
This apparent no-brainer is more common than is often thought, Fisher said. Web applications are built for user acceptance and are stress tested against traffic loads, but infrequently have security built in at the development phase. “For the most part developers aren’t taught security,” he said.
Several attendees agreed. Developers’ understanding of the importance of security “is still shaky…but it is getting there,” said Tim Dafoe, a senior security designer with Ontario’s provincial government. Though he and the other security people he works with are aware of techniques such as SQL injection — SQL queries that allow potentially harmful characters to be used — developers tend not to be. One of the reasons is the inherent gap between what developers know about security and what security people know about developing. “The gap is closing, though,” he said.
Mike Pill, who manages developers at a municipally run organization, agreed that developers are often unaware of the exploits used by hackers to break their Web creations. “It’s not taught in school,” he said.
On the upside, as porous as Web applications tend to be, they are not difficult to harden if security is actually built in at the development phase, Fisher said. But the challenge facing many companies is, in fact, doing just this. Senior management is starting to understand the scope of the problem, but “very slowly,” Pill said.
Even if Web applications are built with security as part of the process, the job is far from over.
“You can’t just assess (a Web site) once and forget it…you have to continually assess,” Fisher said. Unfortunately very few companies do this, he added.