Home » Data Protection » Application Security

Opinion

Industry View: Web Application Security Today - Are We All Insane?

WhiteHat Security's Jeremiah Grossman believes the current approach to Web application security is the very picture of insanity

By Jeremiah Grossman

Page 2

The techniques used by the modern cyber-criminal are truly scary. They're backed by mafia, supported by nation states, and often even carried out by, or in conjunction with, rogue insiders. We are dealing with polymorphic malware, 100,000-computer strong botnets, drive-by-downloads, rootkits with anti-forensic capabilities conducted by adversaries who fear no U.S. law. The bad guys make certain their newest tricks are packed, encrypted, and undetectable by the most popular security products. We are long past the era of stereotypical sleep deprived teenage hackers hell bent on the "information wants to be free" philosophy, practicing a dark art.

Web App Security: Time to Get Serious

The cat is out of the bag. The genie is out of the bottle. Playtime is over. The bad guys have evolved and made a home online. They are after Social Security numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our e-mails, online payment accounts, access to our social network of friends, World of Warcraft characters, and even the CPU cycles when the rest is spent. They want it all and the odds are stacked in their favor. Think the payment card industry's new regulations or the breach disclosure laws are going to save us? Neither do I, but they certainly do make a good excuse to get more budget dollars.

For those unfamiliar, the business models of the underground today are every bit as innovative as the mainstream. They trade in intellectual property, sell software toolkits, and even offer software as a service. Want to rent a 10,000-computer botnet for the day? No problem. Unreported vulnerabilities (zero-days) are being researched, bought, and sold on the black market for tens or even hundreds of thousands of dollars. At the same time, when software patches are released, attackers are immediately (it is rumored, automatically) reverse-engineering them to find the flaw. Exploit code is then sent back into the wild before patches can be widely deployed by legitimate users. Large-scale patch rollouts taking only a few days seems like a great advancement until compared against exploit code ready to go in hours.

It is painfully obvious that we must change the status quo in Web application security. We thought we had the answers to give us the upper hand on the bad guys, but hindsight has proven us wrong. In response to the inadequacies of first-generation Web application security measures, an entire industry has emerged beating the drum for software in the Software Development Lifecycle (SDL) and touting secure software as the cure to all our woes. While there is some truth to this, Gartner says 75 percent of security breaches are due to flaws in software, yet 90 percent of IT security spending is on perimeter security such as firewalls - a conundrum. Surely if we had developed all Web code with security in mind the problem might not have gotten so out of hand, but we cannot rewrite history. So where does that leave us?