What's real and what's not in web security
Richard Power talks with WhiteHat Security's Jeremiah Grossman about Cross-Site Scripting, penetration testing and much more
By Richard Power
July 02, 2012 — CSO —
This is the third in a series of interviews with C-level executives responsible for cyber security and privacy in business and government, who also happen to be thought leaders. (Remember, as I mentioned previously, "C-level executive" and "thought leader" are not synonyms.)
In this issue, I discuss a range of issues related to the hard work of web security with Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security. He is responsible for web application research and development, and is a high-profile industry evangelist, taking his message far and wide from the familiar haunts of BlackHat Briefings and other cyber security venues even unto the rarified air of TEDxMaui. A founding member of the Web Application Security Consortium (WASC), Grossman is a leading voice in web application security. Before launching WhiteHat, Grossman worked as an information security officer at Yahoo!
Richard Power: You have a unique vantage point to assess the "facts on the ground" in cyberspace. Give us a sense of the scope and range of sites, sectors, security systems, etc. that your team has a window into?
Jeremiah Grossman, WhiteHat Security: All industry reports agree, most "hacking" and "loss or records" these days are the result of a web-based compromise -- either through a website or a Web browser. WhiteHat Security performs regular vulnerability assessments on over 8,000 of the Internet's most high profile websites, including online banks, e-retailers, healthcare providers, etc. The security of better than 80 percent of those websites can be swiftly compromised; easily resulting in fraud, theft of consumer information, and so on.
[Also read Software security for developers]
More than that, our work measures what types of issues are most common and how long the vulnerabilities persist - which is typically weeks to months. This data is highly unique and difficult to come by, as it requires special privileges granted by our customers to test their systems.
Power: And what are the "facts on the ground" in cyberspace? What jumps out at you in what you are seeing 24x7? What is trending up? What is trending down? What is overhyped? What is underestimated?
Grossman: The 2011 Verizon Data Breach Investigations Report (DBIR), which has tracked thousands of cyber-crime cases over the past decade, has this to say: Amongst large organization (1,000 or more employees), Web applications were the initial hacking vector in 54 percent of breaches and represented 39 percent of the compromised records. Going back as far as the2008 Verizon DBIR the message was the largely identical, Web application hacking was one of the largest causes of breach and data loss. Furthermore, studies published by 7Safe, UK Security Breach Investigations Report, analyzed 62 cybercrime breach investigation and states that in "86 percent of all attacks, a weakness in a web interface was exploited" (vs. 14 percentinfrastructure) and the attackers were predominately external (80 percent).
Combine this knowledge with the targeted Web-related attacks against Sony, Citibank, Google, Adobe, Yahoo!, the US House of Representatives, Amnesty International, Stratfor, Heartland Payment Systems, bank after bank, university after university, country after country -- the story is the same. It's a Web security world and the lesson is clear: secure your Web application code or risk your online business.
Internet Security Hacking and Threats...
Trending Up: Website, Web browser, OS X
Trending Down: Windows exploits
Overhyped: Mobile, Cloud, Social Networking
Underestimated: Intranet hacking, SaaS third-party software hacking