Opinion

Industry View: Web Application Security Today - Are We All Insane?

WhiteHat Security's Jeremiah Grossman believes the current approach to Web application security is the very picture of insanity

By Jeremiah Grossman

July 02, 2008CSO

Seventeen million programmers are churning out an estimated 102 billion new lines of code per year. Add 162 million websites online, with 809,000 using SSL (an indication of valuable data) and the problem becomes apparent. Researchers estimate that roughly one security defect exists per 10,000 lines of code and nine out of 10 websites contain one or more serious vulnerabilities. If only 1 percent of security defects are exploitable that means we are generating 102,000 zero-days per year - we just don't know where most of them are. Even if 90 percent of the SSL websites contained only a single issue, 728,100 website vulnerabilities are already in circulation, and we don't know where those are, either.

While web application security was clearly recognized as a big problem several years ago, many organizations were slow to act. Now Web application exposure has reached the crisis stage because criminals have taken notice and made Web applications their primary target. There's an old proverb that explains how to determine whether or not someone is sane. An individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If he decides to empty the pond with his bucket without first stopping the inflow then he would be considered insane. This is analogous to today's approach to software security, and specifically Web application security.

While the data (think credit card and Social Security numbers) contained in websites can be highly attractive, so too is the ability to access unsuspecting users of the website. In what has become an incredibly common attack, cyber criminals penetrate one of a website's many weak spots and silently lace the Web pages with malicious code. When visitors arrive, their Web browser is automatically exploited and their machine loaded with Trojan horses designed to steal passwords, send spam, attack other computers, and more.

In April 2008, a single massive hack infected hundreds of thousands of Web pages using a sophisticated form of blind SQL Injection. Something we thought technically possible turned real, right before our eyes.

The problem has gotten so bad that industry sources say most websites hosting malware have been hacked, Google says 1.3 percent of their search queries return malicious content, and Vint Cerf (father of the Internet) approximates that one quarter of all PCs are part of a botnet. Firewalls are not working. Antivirus/spyware is not working, nor are weekly patching, user education, SSL, or "turning off the home computer" as recommended by the FBI cyber-crime website. In what has become an inside joke, every authority says to use these "best-practices" despite their ineffectiveness.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

How Are Open Source Development Communities Embracing Security Best Practices?

The Case for Business Software Assurance ~ Securing Your Applications

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development

Managing SSL Security in Multi-Server Environments

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Efficient - Flexible - Compliant

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era