With Jeremiah Grossman, founder and chief technology officer of WhiteHat Security. In November, 2006, WhiteHat released its inaugural Web Application Security Risk Report.
Question: What are Web applications and why do they complicate security?
Grossman: A Web application is a piece of software that runs over the Web that transforms a static Web page into something more dynamic. Web 2.0 [which uses Web apps] is built on more social collaboration and is more dynamic in terms of its use. The primary reason [that makes it more vulnerable from a security perspective] is that the accessibility not only makes it popular but also an attractive target. … [Software in a Web 2.0 scenario is] instantly accessible by hundreds of millions of people all over the world. The more value that is there -- whether it is money, intellectual property, access to other people -- the more attractive a target it becomes.
Question: Are Web app vulnerabilities completely different from traditional vulnerabilities, or are they the same problems simply modified for the Web?
Grossman: All the vulnerabilities that existed in earlier software all went to Web applications, but Web applications do have [their own vulnerabilities] added. Two examples are cross-site scripting and cross-site request forgery. Cross-site scripting at its most fundamental level exploits the trust a user has for the site. It gets the site to deliver malicious code to the user, typically by the user clicking on a link on the site. Cross-site request forgery is almost the opposite of cross-site scripting because it exploits the trust that a Web site has for a user. The way that works is that an attacker forces a user's browser to perform an action they didn't intend, such as wire transfer. WhiteHat is in the business of testing Web sites for security and finding vulnerabilities. Our statistics say about eight in 10 sites have serious vulnerabilities in them. Our statistics and reports from others say Web applications are the most common avenue of attack. Most Web sites are vulnerable, and the bad guys know it and are exploiting them.
Question: What is your advice to people browsing the Internet?
Grossman: Our advice is to remain patched and to be careful about clicking on links [at sites], to be careful of any links in e-mail, and to switch to alternative browsers from Internet Explorer. What surprised me the most was that the vulnerabilities that we were finding are so diverse. There is not only one style of attack. What we found is that about half of [vulnerabilities] can be found using a scanner and the other half have to be found by an expert. What we say in security is that attacks always get worse, never better. [We found that it is important to] use a standardized secure development framework. The tools that developers use to code Web sites should be controlled and not open access. It helps prevent developers from making the most common mistakes without thinking about it. From a security point of view, vulnerability assessments are the best first step. You have to know [how your site is] vulnerable, and then you can make educated decisions.
This 3 Questions originally appeared in a weekly report from IT Business Edge.
