2007 - Another crisis year for Web Security!

Today we published our application security trend report for Q4 and the full year 2007. And, although there was some progress made by a lot of corporations and government agencies, prognosis continues to be grim. We are barely scratching the surface. We have a long way to go and many companies are still trying to figure out what they should be doing. Here's my abbreviated executive summary from the trend report. You can download the full report from Cenzic home page at www.cenzic.com. Please feel free to provide feedback or start a dialogue on the subject here.

2007 was certainly an eventful year. And, not just for election primaries. In 2007, we saw a number of creative and lethal attacks - not just in election debates. Web site hacking continued to gain momentum as hackers had a field day exploiting vulnerabilities across all geographies and across different types of Web applications. From SQL Injection Robot to a Russian Malware gang attacking a government site to exploitation of various Google vulnerabilities to various universities – attacks continue. Financial gains continue to be the primary goal but we also saw attacks to steal intellectual property, student records, and in a few cases to deface Web sites. The total number of vulnerabilities stabilized but Web application related vulnerabilities continue to hover around 70 percent of total vulnerabilities. The “bad guys” go where the vulnerabilities are and Web applications are certainly appealing and inviting to these constituents.

 

Application vulnerabilities in Q4 tracked the first three quarters in terms of their dominance, forming 71 percent, a three percent increase over Q3, of the total 1,404 published vulnerabilities. The scary part is that 70 percent of these vulnerabilities are easily exploitable. Application vulnerabilities are the ones that pertain to Web technologies including Web servers, Web browsers, and Web applications. These published vulnerabilities are for commercially available software and infrastructure that corporations and government agencies buy from ISVs (Independent Software Vendors). These don’t take into account thousands of vulnerabilities that are created while programming in-house or proprietary applications, many of which are outsourced to other countries including India, China, and Russia. Millions of consumers spent more than $29B during the 2007 holiday shopping season in the U.S. alone, putting their personal information including credit cards numbers into all kinds of Web sites. While there haven’t been many incidents reported of records stolen or major hacking since the holiday season, the silence is deafening. There’s actually a valid reason for this. First, it takes a while before companies realize that the information has been stolen from their databases. Secondly, hackers are no longer interested in publicizing their conquest stories. It’s in their best interest to steal the information and use it in stealth mode as long as possible. Rest assured, some of these sites have probably already been hacked and stories will start coming out as the year progresses.

 

Most of the vulnerabilities in Q4 were within the applications themselves, comprising about 85 percent of all Web application vulnerabilities. Web server and Web browser vulnerabilities were 10 percent and 5 percent respectively. Applications written in PHP continued to be a major chunk forming 30 percent of all vulnerabilities.

 

Our Top 10 vulnerabilities for Q4 2007 include various technologies and companies including OpenSSL, IBM Lotus Notes, Adobe Acrobat, Java, Realplayer, PHP, IBM Websphere, Apache, and Adobe Flash. Since this is a year-end report, we added a section for the Top Five Application Security Vulnerability Trends for all of 2007. Our Top Five for 2007 include Javascript Trickery, Universal XSS in Adobe Acrobat Reader, Mass-SQL Injection Worm, Google Gadgets and Gmail Hacks, and ORKUT XSS Worm.

 

Cenzic’s ClickToSecure managed service that tests customers’ Web applications remotely once again found that roughly 7 out of 10 Web applications are vulnerable to various types of vulnerabilities including Cross-Site Scripting, Information Leaks and Exposures, Authorization and Authentication flaws, Session Management, SQL Injection, and other security defects.

 

In 2007, we were encouraged to see more corporations and government agencies taking action by testing their applications for security vulnerabilities - partially driven by regulations like PCI, AB1950, and GLBA, and partially to protect their brands. But, we still have a long way to go. Technology and expertise is available for organizations to start their application security process quickly. Now, with virtualization integration to some Web application scanners, they can also start testing their production applications and not just the applications in development and Q.A. We hope we’ll continue to see this momentum of security consciousness in 2008 as we deal with Application Security, the next frontier.

    - Mandeep Khera

As Holiday Shopping approaches, Web security woes continue

With the release of our Q3 Trends report on Web application security on Nov 12th, we continue to see a rise in Application vulnerabilities which formed 68% of all published vulnerabilities in the quarter. But, the main issue here is not the rise in application vulnerabilities. Rather, the problem is with inaction or lack of sufficient action by companies and government agencies in doing something about securing their Web applications. Jupiter Research is predicting 126 million shoppers will spend over $39 billion this holiday season. That's a lot of shoppers putting their personal information in millions of Web sites that sit on top of applications - most of them vulnerable to hackers.

In looking at the data from our services unit as well as many published sources, we estimate that about 90% of all Web applications out there contain some vulnerabilities. While 70% of the applications tested by Cenzic's managed service unit were found to be vulnerable, most of these companies  are in North America and are sophisticated users who understand the importance of securing their Web applications. If we look at the entire population of Web applications across the world, there is little awareness on secure coding and application vulnerabilities.

To give credit where it's due, there are a number of leading edge companies in North America like Google, Oracle, Microsoft, and many large financial services companies and a few government agencies who are making major investments in testing their applications and fixing vulnerabilities. But, these form a small percentage of all the companies that are doing e-commerce transactions or collecting customer information online.

As hackers keep getting smarter, Web sites keep getting hacked without companies realizing the intrusion, and consumers  keep getting frustrated with their identities and other personal information being stolen. So, what can we do? Customer need to be more alert and look for the right companies to do business with and ask the right questions around Web security. Companies and government agencies need to do a lot more to secure their Web applications and start the process immediately. We have a long way to go so the quicker we can start the better. And let's hope this Christmas season doesn't turn into Halloween when it comes to holiday shopping!

- Mandeep Khera, Cenzic Inc.

Symantec Threat report stresses app security, Web security woes continue for Google, Banks, Government

Symantec Corporation issued their Internet Security Threat report recently confirming a lot of trends that Cenzic had published in its first two quarterly trends report. While there are many malicious activities going on on the Internet from network level worms to client side exploitation with tools like Mpack, Web application security continues to be the most critical concern. Symantec found that 61 percent of published vulnerabilities related to Web applications which tracks closely what Cenzic found in the first two quarters. So, what does that mean? It implies that very month roughly 300 to 500 new vulnerabilities are being reported for Web applications, and organizations not only need to catch up to all the vulnerabilities from the past many months but also keep up with the new ones every month. And, the worst part is that over 70% of these vulnerabilities are easily exploitable. So, what would the hackers do? They would attack where the majority of the vulnerabilities are. And, it's not in the network any more. Web 2.0 technologies, with Ajax, and other scripting languages continue to create even more headaches, from security standpoint, for corporations and governments.

In the last few months, we have seen many attacks including the cross-site-request forgery attack on Google, CBS News, Ukranian attack on US Government job site, and Chinese government attack on Pentagon site, to name a few. Also recently, the Homeland Security Department improperly disclosed details about a serious threat to the U.S. electrical grid to industry researchers just days after it produced a video showing simulated hackers remotely seizing control over a $1 million diesel-electric generator which raised a lot of questions about Cyber Security.

So, the big question is if every one knows that they are exposed, whey aren't they doing something about it. There are many reasons including: (1) Lack of Understanding - Many security professionals across all size companies still believe that they are secure because they have network firewalls, IDS, and other network security technologies in place. This is a complete fallacy. None of these technologies will protect them from Web application attacks; (2) Lack of resources - Even if organizations understand the exposure, they have too many applications to test and they are just scratching the surface; (3) Ostrich mentality - I have been told by many  CSOs and other security executives that they have never been hacked so they are not worried. When I ask how do they know that, they typically don't have a very good answer.

We think these attacks will only intensify as hackers are getting more organized with proper structures and attacks for major financial gains or to steal IP. We'll see more politically motivated attacks as well as governments are realizing Web sites as a weak link with easily exploitable assets underneath. Governments and Corporations need to move fast to start taking Web security seriously - before it's too late.

- Mandeep Khera, Cenzic Inc.

Web Security and Ease of Doing Business

The other day I was trying to send some money to some one using one of the money transfer companies. After going through a rigorous process and phone calls for half an hour, I gave up. Good news was that this company was taking extra precautions to secure their transactions through the Web given that in this case actual money was involved. Bad news however was that it made the transaction so complicated that they lost my business.   

Many companies that conduct online transactions with customers are going through the same predicament. How to provide adequate security without making it too difficult for the customer to do the transaction?

There are certain practices that certainly make sense like strong passwords (e.g. minimum 8 character alphanumeric etc.) , having security questions, and even a secondary key. Where it starts getting sticky is when there are phone verifications or additional pieces of information that customers don't like providing or it's too time consuming.

The worst part of some of these processes is that two fundamental principles of "Let the Good Guys In" and "Keep the Bad Guys Out" are reversed. So, the good guys have problems getting in because of all the additional measures and the bad guys still come in. How does that happen?  Very simple, the bad guys are coming in by exploiting the vulnerabilities in the Web applications that are sitting underneath the front-end. Most of the applications that we have seen are still vulnerable and hackers know how to easily exploit them through the user interface including forms and fields.

As a best practice, organizations should provide some best practices mentioned above for access by the "true" customers without making it too difficult. And, a much stronger emphasis needs to be placed on finding and fixing vulnerabilities in the code itself. Make it more difficult for the hackers to come in, not the customers.

I would love to hear some of the best practices people are following that are working well. Please post your comments.

- Mandeep Khera, Cenzic Inc.

Web App Security, not as Sexy as James Bond but Close

I saw a news story last week that was kind of surprising to me but really shouldn't have been. An article posted by the Financial Times discussed the Chinese military hacking into the Pentagon. http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html It surprised me because I never really thought of the military groups from different countries hacking into each other. Call me old school, but I still pictured spying and espionage between countries to be handled by the equivalent of James Bond. Thinking about it just a little and applying a tad of logic makes me realize how foolish that thinking is.

In the article, China was painted as the villain since they hacked into the Pentagon and had previously hacked into some German government computers. However, the article also mentions that the US is assumed to regularly scan Chinese networks. Both of these ideas simply emphasize how much easier it is to hack into a computer system than to directly risk the lives of your "super spies." It might be sexier to seduce foreign agents while stealing top secret documents but it's safer to do it online instead. No need to end up being strapped to a table while a laser preps to slice you in half.

How and where the computer was hacked wasn't mentioned but comments near the end of the article had me thinking it was an email account that was hacked. It could just as easily been via a Web site instead. Hopefully any Web sites being used by the Pentagon are performing some simple input validation. Most Web application vulnerabilities can be avoided by validating the data being entered. If asking for a person's name, accept only letters. If asking for a phone number, accept only numbers. At least block the simple stuff. It might not make you a super spy but you can still be a hero in your office. You can always hope for more excitement when ordering that martini shaken, not stirred.

State of Application Security - Q2 Analysis

Cenzic will be releasing its Q2 Trends report on the state and trends of Web application security for Q2 on July 31st. Here's the executive summary from the report. You can download the full report from www.cenzic.com home page starting July 31st.

Facts around Web application security continue to surprise and alarm us. Fact – according to some estimates there are over 100 million Web applications facilitating transactions and collection information. Fact – less than 5% of applications have been tested for vulnerabilities. Fact – majority of companies who are doing anything about security are testing Web applications only while they are in development or Quality Assurance stage leaving 99% of the applications that are in deployed phase exposed at any given point. Fact – new vulnerabilities at the application layer continue to dominate. Fact – hackers continue to attack at the application layer because that’s where most of the vulnerabilities are. So, in spite of these glaring facts, why aren’t companies taking necessary steps to protect their critical information? We find that lack of awareness continues to be a problem when it comes to application security. Most companies still don’t grasp the concept of securing applications. To these companies, network firewalls, Intrusion Detection Systems (IDS), and anti-virus software should be enough to protect them from hackers. As cyber attacks continue to rise against the applications, many companies are still unaware of the fact that they have been hacked. For every hack that’s been published, there are hundreds of hacks that go unreported – sometimes for months. Hackers are getting smarter and know how to keep secrets.

Similar to our Q1 Trends report, we have noticed that vulnerabilities at the application layer continue to dominate the overall published vulnerabilities. In Q2, we observed that of the 1,484 published unique vulnerabilities, 72% related to Web technologies including Web applications, Web servers, and Web browsers. This reflects over 7% increase from Q1 number of 67%. This comes to about 355 new application related vulnerabilities per month. What’s frightening is that 65% of these vulnerabilities were easily exploitable. In other words, hackers don’t have to be overly sophisticated to take advantage of these vulnerabilities.

In terms of the types of published vulnerabilities, the trend continues to mirror the previous trends with Cross-Site Scripting, SQL Injection, and File Inclusion as the major vulnerabilities. We also observed that there are new vulnerabilities being discovered in the newer technologies like Ajax and Web-services as developers are still trying to come up to speed on how to do secure coding with these new technologies. For browsers, Internet Explorer continues to lead with 33% of the browser vulnerabilities, followed by Firefox with 26% and Opera with 21% of the vulnerabilities.

Additionally, the number of probes and attacks continue their strong pace. Activity in Q2 was influenced by vulnerabilities in IBM Lotus, Adobe, Quicktime, Cisco, Apache Tomcat, and various Microsoft vulnerabilities.

Data from Cenzic’s ClickToSecure managed service that tests thousands of pages of Web applications for customers remotely for vulnerabilities shows that once again Cross-Site Scripting vulnerabilities continue to dominate the most common vulnerabilities. Cross-Site Request Forgery, Information Leaks and Exposures, Session management types of vulnerabilities with session hijacking, authentication bypass, as well as various other Authorization and Authentication types of vulnerabilities also continue to play a major role.

With roughly 400 new application vulnerabilities arising every month just from the published vulnerabilities alone, we believe there are thousands more that are unpublished because no one reported them or because they were found in home grown applications. With a very small percentage of Web applications tested, most Corporations are highly exposed. Even the Corporations, including many large F1000, that have formal security testing in place, are testing a small fraction of their total applications. Most of the regulations around protection of consumers’ privacy information are vague at best and silent at worst when it comes to application security. Regulatory bodies need to start adding specific clauses in the various regulations that require securing of Web applications. Payment Card Industry (PCI) regulatory body has already taken some steps toward this and that’s helping increase the awareness and providing an impetus

for application security. Cenzic is also urging Corporations and Government entities to focus on a model of continuous testing of all applications whether they are in development or already deployed. By using virtualized environments, organizations can start testing all their applications not once a year but once a month and start taking action. Application security is no longer an issue of ad-hoc testing as a check box but more of a risk-management issue. We need to take action and start implementing initiatives which plug in the holes in our applications. Consumer confidence and the future viability of our e-commerce depend on it.

- Mandeep Khera, Cenzic Inc.

What are Google's intentions?

In contrast to most of the news regarding Google, which tends to focus on competition with Microsoft and Yahoo or anti-trust disputes, the company received some attention last week for an internal application security project code named Lemon.  Some details were provided from the Google security team’s blog:

                                 

http://googleonlinesecurity.blogspot.com/2007/07/automating-web-application-security.html.

                  

The internal initiative involves using fault injection techniques to detect cross site scripting vulnerabilities in Google applications.  The security staff discussed the need to have not only the ability to test many permutations of cross site scripting vulnerabilities, but also to reliably assess an application for injection points (spidering or crawling the application).  They noted that they had developed the capability in house because of the nature of the Google application development environment. 

                

Interestingly, one can speculate that this may be part of a broader initiative aimed at providing compliance services for corporate customers.  Google clearly envies the position that Microsoft holds with corporate customers, particularly the franchise in Microsoft Exchange.  Recent acquisitions of Postini and Green Border suggest that the company may be shaping a service aimed at providing a broad range of security compliance services, including application security.

    

Our take is that Google has chosen a viable approach in emulating the scanning, fault injection and assessment technology that we have been delivering for several years.  With a narrow focus on a specific vulnerability such as cross-site scripting and a particular development environment, it is likely that they will have success.   We applaud Google for taking an initiative to beef up security for its internal applications. Google needs to however, enhance this further by adding testing functionality from commercial risk-management solutions or services. Application security is not a trivial task and Google should take advantage of the expertise of the security vendors who do this for a living.  Some of the leading companies who have been fairly successful in securing their key applications have used a combination of internal and external resources. Google should adopt their model and leverage the expertise instead of trying to do everything with its own resources.

                                 

- John Reno

How iPhones Should Change Your Thoughts on Web Application Security

I'm sure that many of you saw the recent announcement from Apple. No, not the one about their iPhones finally being available. (I love new toys but I'm holding off on that one for now.) I'm talking instead about Safari now being available on Windows. Having a Mac at home I, of course, had to immediately download and play with it. It works about the same as the Mac version: clean resolution, quick speed, Mac feel. Unfortunately for Apple, it's not enough to pull me away from using Firefox. I won't go into all the details of why Firefox is better. Instead I'll leave that to someone else; check out the side-by-side comparison by Percy Cabello on Mozilla Links (http://mozillalinks.org/wp/2007/06/feature-by-feature-firefox-vs-safari/)

I'm also sure that those of you who saw the Safari announcement also saw the security alerts that came out shortly afterwards. (http://www.networkworld.com/news/2007/061107-safari-for-windows-released-and.html and http://www.securitytracker.com/alerts/2007/Jun/1018282.html to name two) While it is to be expected for beta software, for software from such a public profile company as Apple and for software with the claim of "designed ... to be secure from day one", it shouldn't have happened quite that fast. It goes to show that you're never as secure as you think you are.

Anyway, I digress from where I was originally trying to go. With the introduction of one more serious browser client out there, it becomes that much more apparent that web applications will need that much more work. Whether you're designing in the latest Web 2.0 functionality or simply updating a new module, you now need to be testing against one more browser. You might think that simply following HTML standards would be good enough but consider the different methods of presenting data used by Safari, Firefox, IE, and Opera. Then throw in the different Operating Systems for each. And then consider all the handheld devices which are now accessing web sites: Blackberries, Treos, iPhones. Users now have a ton of different methods to access your web application. And if you aren't prepared for all these choices, then someone is going to be able to use different devices to gather info about your web application and then use that info to find a vulnerability.

To a degree the method of access shouldn't matter. However if you are only testing your web application with IE on Windows, you might want to consider including something else.

- Mike Kazmierczak, Cenzic, Inc.

HP follows suit by gobbling up SpiDynamics

As expected, HP announced the acquisition of SpiDynamics today. Another huge validation for the Application Security space. Finally, companies are realizing that with 75% of attacks occurring at the application layer and 7 out of 10 applications vulnerable, there's a drastic need to take action. Large companies like IBM and HP realize this tremendously upward movement and want to get ahead of the curve to meet the customers needs. HP had been in conversation with Spi for the last couple of months and plans to integrate Spi's products into the Mercury quality assurance suite.

While integrating security testing with functional testing is important (note: Cenzic has already integrated with Mercury and Borland), we believe that for customers it's not a good solution if the security product loses its identity completely for a number of reasons. First, customers like best of breed products. They don't want to buy Mercury just because they want security testing. Secondly, most of the testing and buying is still taking place at the Chief Security Officer (CSO) and the InfoSec group levels. This organization is typically separate from Development/Q.A. organization. Not having a stand-alone product can severely hinder Information Security group's efforts. Finally, about 99% of the applications are already in production and until they go through new development, some one still needs to test for security and find vulnerabilities.

People are asking us if Cenzic is next in the acquisition train. Frankly, we are focused on building the business and continue significant enhancements to our risk-management solutions. We will always be open to strategic relationships with security vendors like Cisco, Juniper, Symantec, McAfee, Verisign, and CA or ALM vendors like Compuware, and Borland, that help enhance value for the customers. Our motto continues to be - Superior Solution, Superior Service. Stay tuned.

- Mandeep Khera, Cenzic Inc.

Impact of IBM Acquisition of Watchfire

As the announcement of IBM acquisition of Watchfire hit the wire on Wednesday, June 6th, there was a lot of buzz going around in the media about the impact of this acquisition. I have provided some of the links from these articles below. Many reporters and security executives have asked me about my thoughts on the topic which I would like to share here as well.

First of all, I think the acquisition is a big-time validation for the application security space. It also means that more and more companies are getting serious about application security. However, application security still has a long way to go. As far as the impact on the existing Watchfire customers, we'll have to wait and see. From all the indications so far, it looks like IBM will suck Watchfire product Appscan into its Rational suite. This can't be good for Watchfire customers because there won't be a standalone product and IBM will not focus on enhancing the security functionality in the product. It'll become just another feature or Rational quality testing suite.

We also believe that there's too much hype about integrating security testing tools into Software Development Lifecycle (SDLC). We agree that's important to test early in the development lifecycle. However, with all this people, companies are starting to focus only on the new applications as they develop. What about the remaining 99% of Web applications that are already in production?  A good analogy is the anti-virus products where anti-virus scan can be run before OS and other software are installed on the desktop but most of the testing occurs after the user starts using the desktop.

Cenzic believes that companies need to take a holistic risk-management approach. Find out how many apps you have and at what stage, find out who owns those apps, track when those apps were tested and how often, understand what's still vulnerable, and at the management level create metrics to understand the security posture of the company and monitor on an ongoing basis. This is not about ad-hoc testing of a few applications just to get a check box item crossed. This is about protecting your brand and your customers.

We are sure there'll be more consolidation in this space as various Application Lifecycle Management (ALM) vendors (HP, Compuware, Microsoft, and Borland), Security vendors (Symantec, McAfee, Verisign, and CA), and Infrastructure vendors (Cisco, Juniper, Citrix, and many others) need to add similar functionality to their portfolio. We just hope that the customers will push their vendors to offer combined solutions that are more holistic rather than a point solution as part of a development suite.

Whatever the solution, companies need to start testing applications for security vulnerabilities NOW. We have a catastrophe waiting to happen based on what we saw in Cenzic's first Quarterly Trends Report (download from http://www.cenzic.com) - 7 out of 10 applications are vulnerable, about 70% of total vulnerabilities are application related, and over 75% of attacks happening at the application layer - a recipe for a disaster for the Commercial and the Government sectors.

News stories from IBM/Watchfire deal:

http://www.computerwire.com/industries/research/?pid=53971D9D%2D84F3%2D4D7B%2DAFCF%2DB26EC2D93CAA
http://www.onstrategies.com/blog/?p=198 http://www.scmagazine.com/us/news/article/662742/ibm-keeps-mind-security-watchfire-buy
http://www.infoworld.com/article/07/06/06/IBM-to-buy-Watchfire_1.html
http://www.networkcomputing.com/showArticle.jhtml?articleID=199902344&queryText=watchfire+cenzic
http://www.internetnews.com/bus-news/article.php/3681766
http://www.computerworld.com/blogs/node/5652

Mandeep Khera, Cenzic Inc.