Earlier this month infosec pros at at the Toronto SC Congress conference got an earful from Canadian Dave Lewis of Akamai Technologies on the need to ensure their Web sites don’t aid and abet distributed denial of service.
Over the weekend came another reminder in an article from CSO Online that there are too many vulnerabilities in Web sites that help attackers which can easily be plugged.
“The primary cause for constant and recurring website (and web application) vulnerabilities is the heavily-modified to fully custom-developed nature of these technologies,” it quotes David J. Venable, director of professional services at Texas-based cloud networking platform Masergy Communications and a former NSA intelligence collector. The result, he says, is largely untested sites and applications that do not undergo the same rigorous and thorough testing that most commercial software packages such as operating systems and server packages do.
There are security holes in .PHP sites, third-party and homegrown software, and WordPress code and installations as well as in OpenSSL, Single Sign-On, and SQL and LDAP implementations and technologies.
Cisco Systems’ most recent annual security report noted that among the Web exploit kits available to hackers, one dubbed Angler uses Flash, Java, Microsoft Internet Explorer (IE) and Silverlight vulnerabilities. Once the exploit is triggered, the report notes, the malware payload is written directly into memory in a process such as iexplore.exe, instead of being written to a disk. “The payload delivered by Angler looks like a blob of encrypted data, which makes it harder to identify and block.”
Another, dubbed Sweet Orange, Sweet Orange distributes a range of malware to unpatched enduser systems, and includes exploits for vulnerabilities in Adobe Flash Player, IE, and Java.
Today security and application development teams have to work closer than ever to ensure these are plugged through change management, testing, and proper implementation. There are too many successful attacks that could be stopped cold if developers and security pros