IT DRILLDOWN
Virtualization
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 Advice and Opinion
 CIO Consumer IT
 CIO Leader
 CIO Enterprise
 CIO Insider
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Public Teleconferences
Join CIO Executive Council members and participate in the following live teleconferences:

* Planning for Succession:
Models for IT Leadership Development, June 23
 * Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25
 * Managing Change: Centralizing Your IT Organization
 July 29

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 
 
BONUS LINKS
 
Database Security
Sentrigo is the leader in database security, auditing and protection.
 
 
Feature
 

An Introduction to the Murky Science of Web Application Security

Where white hats and black boxes help CISOs assess just how sieve-like their web-based systems are.

 

By Simson Garfinkel

May 11, 2007CSO — Jeremiah Grossman wants you to know that firewalls and SSL encryption won’t prevent a hacker from breaking into your e-commerce website, compromising your customers’ data and possibly stealing your money. That’s because most website attacks these days exploit bugs in the Web application itself, rather than in the operating system on which the application is running.

Grossman is the founder and chief technology officer of WhiteHat Security, a Silicon Valley firm that offers an outsourced website vulnerability management service. Using a combination of proprietary scanning and so-called ethical hacking, WhiteHat assesses the security of its clients’ websites, looking for exploitable vulnerabilities.

WhiteHat does its scanning without access to the client’s source code and from outside the client’s firewall using the standard HTTP Web protocol. This approach is sometimes called “black box testing” because the website’s contents are opaque to the security assessors. The problem with black box testing, of course, is that it is sure to miss many vulnerabilities and back doors that are hidden in the source code—black box testing can only find vulnerabilities that are visible to someone using your website. But the advantage of this approach is that it precisely mimics how a hacker would most likely conduct his reconnaissance and break-in.

I met Grossman this past February at the RSA Data Security Conference in San Francisco and then had a follow-up meeting with him in early March. What he told me was not all that surprising, but it was tremendously disturbing nonetheless. According to Grossman:

  • WhiteHat is able to find significant vulnerabilities in approximately 80 percent of the websites that it analyzes.
  • The 20 percent that don’t have vulnerabilities are usually just “brochure-ware”—just a website with no active e-commerce application.
  • Most C-level executives think that firewalls protect websites against Web-application attacks. (They don’t.)


Before founding WhiteHat, Grossman spent two years working in the security group at Yahoo. It took Grossman and his team roughly a week to test each of Yahoo’s sites. At that rate, he said, it would have taken more than 10 years to test all of Yahoo’s online properties—assuming that they never changed. Of course, websites do change. And every time a website gets a significant makeover it has to be retested; otherwise newly introduced security vulnerabilities can go unnoticed.

Yahoo’s systems were protected by firewalls and other kinds of network isolation approaches. But these technologies don’t prevent most attacks aimed at Web applications. Firewalls and isolated networks prevent an attacker on the Internet from interacting with a service. But Web applications, by their very nature, need to be open to anyone on the Internet. If a merchant were to use its firewall to block access to its shopping cart system, then none of the website’s users would be able to buy anything!
Loading...
 
 
CENTER OF EXCELLENCE
 
Security
» New 2008 Report: Outbound Email and Data Loss Prevention in Today's Enterprise
Read the statistics about how large companies manage the risks associated with outbound email, blog postings, media sharing sites, mobile Internet-connected devices and more.
» Regulations Shift Focus on Outbound Email Security
Find out more about the impact of data protection regulations and standards such as HIPAA, PCI, and PIIG, which place new constraints on data.
» Messaging Security Goes Virtual
Learn how virtual appliances can eliminate "appliance overload" by combining the advantages of hardware appliances and virtualization technology.
» Encryption Made Easy: The Advantages of Identity Based Encryption
Find out why email encyrption is critical to an organization's overall security architecture and the advantages of identity-based encryption over traditional approaches.
» The Great Email Security Debate: Appliances, SaaS, or Virtual?
Hear how you can keep your messaging infrastructure safe from spam and viruses, or prevent leaks of your organization's most valuable data.
Center sponsored by

 
 
ABCs
 

Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.

Over 25 tutorials on everything from business intelligence to virtualization.

 
 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Building an Online Customer Experience Competency

They Cant Steal What You Don't Have: Smart Security Choices for Mobile Workers

The Great Email Security Debate: Appliances, SaaS, or Virtual?

Messaging Security Goes Virtual

Outbound Email and Data Loss Prevention in Today's Enterprise

How to Manage the Mobile Work Environment

How to simplify mobility and reduce the cost of supporting mobile workers

Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response

Cisco IT eSummit: View 30-minute webinars, technical demos and case studies

Technologies of ETERNUS VS900 Storage Virtualization Switch

New research validates telepresence solutions.

Configuration Assessment: Choosing the Right Solution

How to Calculate the ROI of Remote Support

31 Best Practices for the Service Desk

Webcast: Building an Optimized Infrastructure

Juniper Networks is changing the economics of networking with a no-compromise, highperformance and service-oriented approach

Research about the efficiencies created by different operating systems.

Unified Communications Software: The Death of VoIP?

HP and Oracle deploy unbreakable computing infrastructure at Replacements, Ltd.

Seeing is Believing: The Value of Video Collaboration

Getting Network Management Right: A Gartner IT briefing

Oracle Database 11g: Real Application Testing & Manageability

Sheriff's Office Uses PocketCop to Access Police Databases from BlackBerry® Smartphones

The BlackBerry Solution Adds Significant Benefit to Toshiba

The New Foundation of Storage: Xiotech's Intelligent Storage Element

Best Practices for Providing Secure and Cost-Effective Remote Access

How to Offer the Strongest SSL Encryption

The Advantages of Identity Based Encryption

Regulations Shift Focus on Outbound Email Security

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get Control of Mobile Data (and More)

Mitigating Risk with Security Assessments

Webcast: Best practices in application security: How do you stack up?

Using Oracle Database 10g Automatic Storage Management with Fujitsu Storage

High-Speed Backups without Stopping Business Applications

Optimizing Infrastructure Control

Effective Security with a Continuous Approach to ISO 27001 Compliance

How Does Your IT Help Desk Measure Up?

Webcast: Achieving business alignment and agility with the right capabilities framework

White Paper: Juniper Networks Ethernet Switching Solutions Reduce Operational IT Expenses

Webcast: Learn why companies must invest in an agile network infrastructure

White Paper: Businesses Thrive by Unifying Business Communications

Efficient by design: Watch this flash demo of the Quad-Core AMD Opteron Processor

Renowned Engineering Institution Chooses AMD Processor-Based Servers

High-Definition: The Evolution of Video Conferencing

Unify and Conquer: The Benefits of Unified Communications.

Key challenges facing today's IT service and support

Heinz Uses a Wireless, Automated, Auditing process on BlackBerry® devices

Webcast: Solutions to the Toughest IT Challenges in Remote Offices

Extending PCI Compliance to the Mobile Workforce