Seventeen million programmers are churning out an estimated 102 billion new lines of code per year. Add 162 million websites online, with 809,000 using SSL (an indication of valuable data) and the problem becomes apparent. Researchers estimate that roughly one security defect exists per 10,000 lines of code and nine out of 10 websites contain one or more serious vulnerabilities. If only 1 percent of security defects are exploitable that means we are generating 102,000 zero-days per year - we just don't know where most of them are. Even if 90 percent of the SSL websites contained only a single issue, 728,100 website vulnerabilities are already in circulation, and we don't know where those are, either.
While web application security was clearly recognized as a big problem several years ago, many organizations were slow to act. Now Web application exposure has reached the crisis stage because criminals have taken notice and made Web applications their primary target. There's an old proverb that explains how to determine whether or not someone is sane. An individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If he decides to empty the pond with his bucket without first stopping the inflow then he would be considered insane. This is analogous to today's approach to software security, and specifically Web application security.
While the data (think credit card and Social Security numbers) contained in websites can be highly attractive, so too is the ability to access unsuspecting users of the website. In what has become an incredibly common attack, cyber criminals penetrate one of a website's many weak spots and silently lace the Web pages with malicious code. When visitors arrive, their Web browser is automatically exploited and their machine loaded with Trojan horses designed to steal passwords, send spam, attack other computers, and more.
In April 2008, a single massive hack infected hundreds of thousands of Web pages using a sophisticated form of blind SQL Injection. Something we thought technically possible turned real, right before our eyes.
The problem has gotten so bad that industry sources say most websites hosting malware have been hacked, Google says 1.3 percent of their search queries return malicious content, and Vint Cerf (father of the Internet) approximates that one quarter of all PCs are part of a botnet. Firewalls are not working. Antivirus/spyware is not working, nor are weekly patching, user education, SSL, or "turning off the home computer" as recommended by the FBI cyber-crime website. In what has become an inside joke, every authority says to use these "best-practices" despite their ineffectiveness.
The techniques used by the modern cyber-criminal are truly scary. They're backed by mafia, supported by nation states, and often even carried out by, or in conjunction with, rogue insiders. We are dealing with polymorphic malware, 100,000-computer strong botnets, drive-by-downloads, rootkits with anti-forensic capabilities conducted by adversaries who fear no U.S. law. The bad guys make certain their newest tricks are packed, encrypted, and undetectable by the most popular security products. We are long past the era of stereotypical sleep deprived teenage hackers hell bent on the "information wants to be free" philosophy, practicing a dark art.
Web App Security: Time to Get Serious
The cat is out of the bag. The genie is out of the bottle. Playtime is over. The bad guys have evolved and made a home online. They are after Social Security numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our e-mails, online payment accounts, access to our social network of friends, World of Warcraft characters, and even the CPU cycles when the rest is spent. They want it all and the odds are stacked in their favor. Think the payment card industry's new regulations or the breach disclosure laws are going to save us? Neither do I, but they certainly do make a good excuse to get more budget dollars.
For those unfamiliar, the business models of the underground today are every bit as innovative as the mainstream. They trade in intellectual property, sell software toolkits, and even offer software as a service. Want to rent a 10,000-computer botnet for the day? No problem. Unreported vulnerabilities (zero-days) are being researched, bought, and sold on the black market for tens or even hundreds of thousands of dollars. At the same time, when software patches are released, attackers are immediately (it is rumored, automatically) reverse-engineering them to find the flaw. Exploit code is then sent back into the wild before patches can be widely deployed by legitimate users. Large-scale patch rollouts taking only a few days seems like a great advancement until compared against exploit code ready to go in hours.
It is painfully obvious that we must change the status quo in Web application security. We thought we had the answers to give us the upper hand on the bad guys, but hindsight has proven us wrong. In response to the inadequacies of first-generation Web application security measures, an entire industry has emerged beating the drum for software in the Software Development Lifecycle (SDL) and touting secure software as the cure to all our woes. While there is some truth to this, Gartner says 75 percent of security breaches are due to flaws in software, yet 90 percent of IT security spending is on perimeter security such as firewalls - a conundrum. Surely if we had developed all Web code with security in mind the problem might not have gotten so out of hand, but we cannot rewrite history. So where does that leave us?
In today's world, there is an unimaginable amount of insecure code, and therefore websites, already in circulation. Just taking up the battle cry of "secure software" alone does not solve this problem. As Web 2.0 applications continue to proliferate (blogs, social networks, video sharing, mash-up websites, etc.) the problem will expand in parallel, but we also must consider the existing large financial institutions, credit unions, healthcare operators, ecommerce retailers that run mission-critical business applications online. Even our 2008 U.S. presidential candidates are having trouble securing their campaign websites against amateur attackers.
It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time. The very thought sounds insane to me. It would take too long (probably never finish), cost far too much (billions per year), and the bad guys are already ahead of us. Conservative estimates put the total annual IT security spend in the US at $50 billion and e-crime losses at $100 billion. We're losing two dollars for every dollar spent.
Our pond is actually an ocean of code in need of security defect purification and the dams in the rivers feeding it have holes requiring patches. In many ways, the state of Web application security is where we started a decade or so ago in network security when no one really patched or even had the means to do so. Vulnerability assessment and management solutions told us what flaws existed, but it took several highly publicized compromises for people to appreciate the value in perimeter firewalls as a necessary solution to the immediate problem. Patch management came much later and only recently has become ubiquitous.
Major website hacks are now occurring weekly and once again people are looking for quick, effective and affordable solutions to get a handle on the immediate problem. We have to be able to detect flaws, react faster, and adapt better on an Internet-wide scale. Web application vulnerability assessment solutions like those provided by WhiteHat Security are able to do this and then inform businesses of where the problem spots are. To address identified issues quickly Web application firewall (WAF) technology is getting a serious look. Recent technology advancements enable vulnerability assessment results to pipe straight into a WAF as virtual patches.
This approach lets us mitigate the problem now giving us breathing room to fix the code when time and budget allow. Of course there is still the option of waiting the next 10 years for the Web to be rebuilt.
Jeremiah Grossman is founder and chief technology officer at WhiteHat Security Inc., which tests Web sites for vulnerabilities.