The Role of Web Application Security in Protecting Critical Business Data Date:   Wednesday , April 01, 2009 The explosion of web applications introduces a host of new and ever-changing threats to data security that put enterprises and consumers at risk. Hackers are continuously finding new ways to exploit these applications and skirt existing security measures. What are the top web security challenges for 2009? And how can businesses protect against and remediate these threats? IDC predicts the web security appliance market to grow at a rate of 23.6 percent per year for the next five years, from $256.7 million in 2007 to $745.4 million by 2012. Such robust growth is not surprising—the SANS Institute reports that 50 percent of web applications have major vulnerabilities. Due to the escalation of threats and high profile security breaches reported over the past few years, companies are recognizing that web application security is no longer an option, but a must. THE SECURITY PARADIGM SHIFT Web applications have fundamentally changed the security game. Most IT professionals have traditionally been responsible for securing networks with established technologies such as network firewalls, intrusion detection systems (IDS) and SSL VPNs. Corporate networks are relatively static from environment to environment and are not equipped to deal with the unique and complex security requirements of web applications. Companies may have dozens or even hundreds of web applications available on their websites, and many of these applications change every day. To compound the challenges, no two web applications are the same. If two competing banks offer online bill pay functionality, the underlying web applications powering the function will be entirely different. As such, web applications can originate from multiple sources, including internal development, outsourcing, third-party packages, or inherited through merger or acquisition. It is especially challenging to secure web applications when the application code may not even be accessible. TOP WEB APPLICATION SECURITY THREATS AND COUNTERMEASURES In the last year, attacks against web applications have expanded in scope from attempts to extract credit card information from ecommerce sites using automated mass SQL injection bots to scraping entire libraries of valuable information from subscription-based sites. While web attacks come in a variety of flavors, there are a few common elements that put businesses at risk and allow hackers to steal databases of information. By understanding the commonalities, security teams can better protect their data. Injection flaws – The top reason for credit card data compromise, this attack technique is executed by a user who inserts SQL query commands into the web application’s input fields, such as ID and password fields on a login page. In a vulnerable application the commands are sent to the back-end database, as with legitimate data, and the database is tricked into executing them. Attackers use this SQL injection technique to steal customer data such as credit card numbers, hold customer data hostage by encrypting it or destroy it entirely. To protect against SQL injection vulnerabilities in their web applications, organizations can deploy a web application firewall to block all malicious requests coming in to the application and prevent database error messages from being sent out. Many web application firewalls learn the bi-directional behavior expected when a browser interacts with a server and for specific input fields. With this positive security profile, web application firewalls ensure that anomalous data cannot be inserted into the application. Other remediation techniques include configuring the web application to conceal database error message leakage, using the controls built into the database itself and adding code around each user input field to ensure only legitimate characters can be used. Attacks Against Clients – Cross-site scripting attacks take advantage of web applications that have missing or insufficient input validation and do not properly output encode user supplied data when sent to clients. Attackers insert code into the web browser using special characters that are then executed in the browser when accessed by subsequent users. The web browsers are tricked into executing the user-supplied data. XSS is a technique commonly used in phishing attacks, in which users are redirected to another, site where they are asked for sensitive information such as user names and passwords. A web application firewall can prevent XSS attacks by blocking all attempts to inject scripts into the application. Additional remediation tactics include identifying all areas within an application where user input is added to the application output, such as product reviews or user comment pages, and adding code around each of these user input fields to ensure only legitimate characters are permitted and the data is properly encoded when added to HTML pages. Automation – As an emerging web application security threat, scraping is unlike typical injection attacks. Each individual request looks normal with no malicious payload that would be detected by either positive security or negative security models. Attackers scrape websites by first creating a legitimate account on the web application. Once logged in, they launch bots to extract information in bulk, which was intended to be served up one record at a time to a legitimate subscriber. The bot allows hackers to extract volumes of information quickly and effortlessly resulting in data theft that can put the organization at a competitive disadvantage. Additionally, scraping can be used as a denial-of–service attack technique. Web application firewalls may provide anti-automation capabilities by enforcing proper thresholds on access attempts for specific application resources. When violations occur, a web application firewall can terminate transactions at the user session or IP level. Existing network security tools are designed to detect behavior at the network layer, not at Layer 7 or in web application sessions. Web application firewalls, however, can detect behavior at all layers. THE CASE FOR WEB APPLICATION SECURITY TECHNOLOGIES While the challenges of securing web applications seem severe, the cost of data leakage is even steeper. Since January 2005, more than 245 million records containing personal information have been stolen, according to the Privacy Rights Clearinghouse. And a 2007 Ponemon Institute study found that the financial impact of identity theft breaches are on the rise with an average cost of $6.3 million per incident. Today, approximately 80 percent of successful attacks against organizations occur due to exploitation of vulnerabilities in web applications. While web applications offer new and convenient ways to interface with consumers online, they also expose organizations to significant risk. Hackers are actively analyzing applications to understand them and exploit their underlying mechanisms. Web application defects are directly tied to security vulnerabilities, lost revenues and dissatisfied customers. Testing alone cannot uncover all vulnerabilities. Using a web application firewall that offers real-time monitoring for defects and protection against attacks of production applications is essential. The results should be used not only to block attacks, but to work closely with development teams and application owners to remediate weaknesses in the code itself. The author is senior Vice President at Breach Security.