An Introduction to the Murky Science of Web Application Security
Where white hats and black boxes help CISOs assess just how sieve-like their web-based systems are.
Fri, May 11, 2007
CSO — Jeremiah Grossman wants you to know that firewalls and SSL encryption won’t prevent a hacker from breaking into your e-commerce website, compromising your customers’ data and possibly stealing your money. That’s because most website attacks these days exploit bugs in the Web application itself, rather than in the operating system on which the application is running.
Grossman is the founder and chief technology officer of WhiteHat Security, a Silicon Valley firm that offers an outsourced website vulnerability management service. Using a combination of proprietary scanning and so-called ethical hacking, WhiteHat assesses the security of its clients’ websites, looking for exploitable vulnerabilities.
WhiteHat does its scanning without access to the client’s source code and from outside the client’s firewall using the standard HTTP Web protocol. This approach is sometimes called “black box testing” because the website’s contents are opaque to the security assessors. The problem with black box testing, of course, is that it is sure to miss many vulnerabilities and back doors that are hidden in the source code—black box testing can only find vulnerabilities that are visible to someone using your website. But the advantage of this approach is that it precisely mimics how a hacker would most likely conduct his reconnaissance and break-in.
I met Grossman this past February at the RSA Data Security Conference in San Francisco and then had a follow-up meeting with him in early March. What he told me was not all that surprising, but it was tremendously disturbing nonetheless. According to Grossman:
- WhiteHat is able to find significant vulnerabilities in approximately 80 percent of the websites that it analyzes.
- The 20 percent that don’t have vulnerabilities are usually just “brochure-ware”—just a website with no active e-commerce application.
- Most C-level executives think that firewalls protect websites against Web-application attacks. (They don’t.)
Before founding WhiteHat, Grossman spent two years working in the security group at Yahoo (YHOO). It took Grossman and his team roughly a week to test each of Yahoo’s sites. At that rate, he said, it would have taken more than 10 years to test all of Yahoo’s online properties—assuming that they never changed. Of course, websites do change. And every time a website gets a significant makeover it has to be retested; otherwise newly introduced security vulnerabilities can go unnoticed.
Yahoo’s systems were protected by firewalls and other kinds of network isolation approaches. But these technologies don’t prevent most attacks aimed at Web applications. Firewalls and isolated networks prevent an attacker on the Internet from interacting with a service. But Web applications, by their very nature, need to be open to anyone on the Internet. If a merchant were to use its firewall to block access to its shopping cart system, then none of the website’s users would be able to buy anything!