Home » Data Protection » Application Security

Opinion

Industry View: Web Application Security Today - Are We All Insane?

WhiteHat Security's Jeremiah Grossman believes the current approach to Web application security is the very picture of insanity

By Jeremiah Grossman

Page 3

In today's world, there is an unimaginable amount of insecure code, and therefore websites, already in circulation. Just taking up the battle cry of "secure software" alone does not solve this problem. As Web 2.0 applications continue to proliferate (blogs, social networks, video sharing, mash-up websites, etc.) the problem will expand in parallel, but we also must consider the existing large financial institutions, credit unions, healthcare operators, ecommerce retailers that run mission-critical business applications online. Even our 2008 U.S. presidential candidates are having trouble securing their campaign websites against amateur attackers.

It is unreasonable to expect publishers, enterprises and other site owners to restart and reprogram every website securely from scratch. Nor can we fix the hundreds of thousands (maybe millions) of custom Web application vulnerabilities one line at time. The very thought sounds insane to me. It would take too long (probably never finish), cost far too much (billions per year), and the bad guys are already ahead of us. Conservative estimates put the total annual IT security spend in the US at $50 billion and e-crime losses at $100 billion. We're losing two dollars for every dollar spent.

Our pond is actually an ocean of code in need of security defect purification and the dams in the rivers feeding it have holes requiring patches. In many ways, the state of Web application security is where we started a decade or so ago in network security when no one really patched or even had the means to do so. Vulnerability assessment and management solutions told us what flaws existed, but it took several highly publicized compromises for people to appreciate the value in perimeter firewalls as a necessary solution to the immediate problem. Patch management came much later and only recently has become ubiquitous.

Major website hacks are now occurring weekly and once again people are looking for quick, effective and affordable solutions to get a handle on the immediate problem. We have to be able to detect flaws, react faster, and adapt better on an Internet-wide scale. Web application vulnerability assessment solutions like those provided by WhiteHat Security are able to do this and then inform businesses of where the problem spots are. To address identified issues quickly Web application firewall (WAF) technology is getting a serious look. Recent technology advancements enable vulnerability assessment results to pipe straight into a WAF as virtual patches.

This approach lets us mitigate the problem now giving us breathing room to fix the code when time and budget allow. Of course there is still the option of waiting the next 10 years for the Web to be rebuilt.