10 Things You Should Know about Website Security  
 
by Jeremiah Grossman
Founder and CTO, WhiteHat Security, Santa Clara CA  USA

Products are available through WhiteHat's authorized reseller, Milestone Systems, Inc.
Email:  info@milestonesystems.com    Call toll-free:  866-646-9211

Why Do Websites Need Security?
Phishing schemes. Stolen credit card numbers. Identity theft. Websites have emerged as the target of choice for money-hungry hackers. Attacks have moved from the network layer to the Web application layer that people use to manage their lives everyday: online shopping and banking, healthcare information management, insurance payments, travel booking and college applications. The ramifcations for companies are clear: loss of data, loss of consumer confdence and loss of brand integrity. No company can afford the black mark of a website hack. 

With many states mandating full disclosure, and the federal government close behind with its own efforts, the luxury of keeping these incidents behind closed doors has passed. Organizations must develop a strategy for complete website vulnerability management.

How can companies prevent these attacks? 

The frst step is to understand the fundamentals. This white paper examines the top 10 vital website security issues that affect software developers and information security professionals. Understanding these points will enable you to understand the scope of the problem -- and establish realistic approaches for vulnerability management and securing your websites. Consider these 10 points a springboard for further exploration of website security so that your organization and customers can avoid being victimized.

The 10 Things:

1.  The Network Perimeter is Vanishing

Companies can no longer tout a locked-down perimeter as the ultimate defense. Hundreds of millions of people worldwide use the Internet to bank, shop, purchase goods and services, and perform research. With each transaction, private information, including names, addresses, phone numbers, credit/debit card numbers, and passwords, is routinely ransferred and stored in a variety of locations.

To enable this flow of information, organizations must open up their firewalls -- the very devices once thought to offer impenetrable protection!  Billions of dollars and millions of personal identities and private information are exposed to hackers who find their way in through security vulnerabilities in custom Web applications. From a security perspective, frewalls and SSL offer little protection. 

Web traffc often contains attacks such as Cross-Site Scripting (XSS) and SQL Injection that enter through Port 80 and are not blocked by the frewall.  Contrary to a popular market misconception, SSL is not capable of securing a website, but instead is tasked with safeguarding data in transit. Once data is on the Web server, it can be compromised, whether or not SSL is in use.

Website security is a specialized practice that focuses soley on the custom Web applications that sit on corporate Web servers. Network scanning covers packaged, off-the-shelf applications. Applications developed in-house (the vast majority of websites) need custom security to fend off the attacks that bypass the network perimeter.

2.  Over 80% of Websites have Security Vulnerabilities

Consider the fact that 8 out of 10 websites visited each day have a serious security vulnerability that puts corporate and customer data at risk.  Add to that the irreparable harm done to a company whose brand is compromised by a publicized attack.  It's a call to action for any company doing any of its business on the Web.

WhiteHat Security, through its unique vulnerability management service, assesses the security of some of the largest and most visible websites in the e-commerce, fnancial services, and healthcare industries.  Based on the aggregate data of thousands of website assessments, we've determined that over 80% of websites have vulnerabilities.

These vulnerabilities enable a hacker to access customer account data, execute administrative level functions, defraud the business, or halt operations  -- all serious business impacts. 

Website vulnerabilities fall into 24 classes, as determined by the Web Application Security Consortium (WASC).  Within those classes, there are vulnerabilities from the common, like SQL Injection and Cross-Site Scripting, to the obscure, like Abuse of Functionality and Insuffcient Process Validation.  The most important thing to remember here is that when you're talking about custom Web application vulnerabilities, they will be unique to your website.  And, it takes a joint effort between the development and security teams to identify and resolve issues.

3.  Faulty Input Validation is the Leading Cause of Website Vulnerabilities

User-supplied input must never be trusted, or more specifcally, used, unless data integrity is frst validated. User-supplied input includes query strings, post data, cookies, referrers, and other information not originating from the website. This is the most important lesson for developers to learn in creating solid Web application code. No other defense is a substitute.

We've seen that by following a few simple guidelines, security and code quality can be improved many times over. 

Guidelines for User-Supplied Input

-  Character-set:  Only accept data containing a strictly limited and expected set of characters.  If a number is expected, only accept digits.  If a word, only letters.

- Data Format:  Only accept data containing the proper format.  If an email address is expected, only letters, numbers, the "@" symbol, dashes, and dots in the proper arrangement should be accepted.  This includes enforcing minimum and maximum length restrictions on all incoming data.  The technique should be used for account numbers, session credentials, usernames, etc.  This limits the potential entry points for incoming attacks.

-  Escaping:  All special characters from incoming data should be escaped to remove an additional programmatic meaning.

4.  Defense-in-Depth Protection is Necessary

As we've seen too often in the news, even companies with vast resources and large security teams can fall prey to hackers.  If these high-profle organizations still fall short, how does the average online business protect itself or its customers?  The answer is:  Defense-in-Depth.

Defense-in-Depth is a practical approach to information security on which the industry has come to rely. The fundamental concept is that there should be multiple layers of security protecting your assets.  Layers of security include input validation, database layer abstraction, server confguration, proxies, Web application frewalls, data encryption, OS hardening, etc.  Once in place, it is necessary to frequently test the security of those layers. 

The reasoning behind Defense-in-Depth is that if any layer is breached, there is another layer in place preventing compromise. With Defense-in-Depth, the risks associated with security lapses are signifcantly mitigated.

5. Many Vulnerabilities in Production Sites Do Not Originate in Development Code

One approach to identifying website security vulnerabilities in software is to examine the code for risk-prone operations prior to deployment. While the process is valuable, this alone does not provide a timely or complete picture of security. The execution structure of the code might not be apparent and functionality interplay with other parts of a Web application might introduce new vulnerabilities. The more complex the system is, the greater the odds that a vulnerability will be missed. It is diffcult, if not impossible, to keep production systems and quality assurance (QA) systems in perfect sync.  This presents a unique challenge to developers and security professionals.

The WhiteHat Sentinel Service routinely identifes forgotten backup files, debug code, logic faws, and confguration differences between various systems.  Based on our experience, WhiteHat recommends assessments must be performed both before and after new code is released. This policy ensures when the rubber meets the road, you're protected. Companies cannot risk exposure by missing production vulnerabilities.

Hackers find their way in through production sites, so production sites must receive at least the same, but preferably more extensive, security reviews than the development/QA sites. 

6.  When Web Application Code is Updated, Security Must be Assessed

The fast-paced world of online business requires organizations to constantly develop new Web-based promotions, products, and services to attract customers.  This creates a high-pressure environment for developers responsible for new custom Web application code. Push now or die is the mantra.  And, the addition of even the smallest piece of code could negatively impact the overall security of a website. 

To maintain control, organizations must create a process or fnd an expert to identify vulnerabilities so that they can be resolved. Many companies perform quarterly or annual Web application assessments, yet like many WhiteHat Sentinel customers, they push new code once a week. That's like opening up access to a company's data for most of the year. 

Knowledge is power in the website vulnerability management arena. If developers and the security team know the risk they're facing, they can prioritize remediation and avoid a potential disaster. For example, cross-site scripting (XSS), once thought of as a medium-severity vulnerability by many companies, has started to turn heads.

By far the most prevalent website vulnerability in WhiteHat's experience, XSS has received newfound attention because of a new generation of viruses and worms capable of propagating at rates unheard of even a few years ago.  An XSS worm shut down MySpace.com, the 32-million user social networking site for 24 hours. The lost revenue and customer confdence were only part of the impact.  It served as a wake-up call for the industry. 

Once identifed, XSS is easily eliminated from a website; the trick is to know that it's there.

7.  Websites Accepting Credit Cards Need Web Assessments for Industry Compliance

The Payment Card Industry Data Security Standard (PCI), co-developed by VISA and MasterCard, is designed to ensure the security of cardholder data across its merchant websites. PCI defnes a set of requirements for how cardholder information is to be protected and how compliance is to be assured. PCI requires merchants to have their publicly facing networks and websites tested every 3 months by a certifed vendor. PCI compliance assures merchants and the credit card brands that no serious vulnerabilities are present and consumers can shop with confdence.

Even if your company does not retain cardholder data, the standard applies. 

Most likely, you are guarding sensitive customer information like user names and passwords, social security numbers, healthcare information, etc. The price of non-compliance can be steep, ranging from large fnes to revocation of VISA or MasterCard privileges. Imagine the devastating impact on an e-commerce website that can no longer accept VISA or MasterCard payments.

8.  All Software has Flaws

The awful truth is that all software has bugs and all systems have weaknesses. This is the reality of software, no matter how robust our architecture designs, no matter how intensive our quality assurance process.  Even Microsoft's "Trustworthy Computing" and Oracle's "Unbreakable" campaigns have been unable to achieve anything close to 100% secure code.

Given that, expect your custom website to have vulnerabilities -- but that's not the problem.

The issue is to be aware of and quickly and easily repair those vulnerabilities before an incident occurs.  We advocate using tools to assess your Web applications throughout the development cycle. Source code scanners can be helpful to developers to identify specifc problems. The key is to understand that these tools are only valuable in conjunction with a security oversight program for production websites. 

WhiteHat Sentinel customers are among the most security-conscious enterprises in e-commerce, fnancial services and healthcare.  They understand that even the most diligent development team can produce vulnerable code.  The mistake many companies make is to expect the opposite and jeopardize their security.

9.  Resolving Website Security Issues Requires Updates to Custom Code

While on the surface, it's intuitively understood that network vulnerabilities differ from Web application vulnerabilities, the differences become very apparent when we examine the work required to remediate them. Most security professionals are familiar with the patches available for network vulnerabilities; however, a key difference in website security is that each vulnerability fx requires updates to custom code. Each repair requires a code push that could introduce another vulnerability. So, while there may be fewer Web application vulnerabilities, the means of remediation is more complex.  Therefore, it is imperative to continuously assess the impact of each fix to maintain secure applications. 

10.  Comprehensive Assessments Require Scanning and Expert Testing Methodology

As mentioned earlier, the Web Application Security Consortium has established a threat classifcation of 24 classes of website attacks. These are the means that hackers use to access corporate Web applications every day. IT security teams need a consistent f;ow of information to assess their risk posture and successfully defend against attacks. The best way to obtain that information is to conduct comprehensive assessments of all Web applications as often as the code changes. With WhiteHat Sentinel Service, that is typically once a week. 

It is also critical to understand that no scanner can identify all 24 classes of attack. Scanners can find technical vulnerabilities -- those coding errors that can enable attacks like SQL Injection, cross-site scripting, and others. 

Logical vulnerabilities -- those errors that require a contextual evaluation and manipulate application business logic resulting in false account creation, user impersonation and unauthorized funds transfer (and more!) -- require a security expert for validation. These logical flaws include Insuffcient Authorization, Insuffcient Authentication and Abuse of Functionality. 

The most effective method for identifying both technical and logical vulnerabilities is automated testing combined with expert analysis, which is  iterative and continually refining and re-tuning itself to provide the latest and best protection.

Conclusion

Of course, there are 100's of things to know about website security, not 10. 

I've highlighted ten points to assist companies in creating a website vulnerability management strategy that works. Whether your company is evaluating website security for the frst time, has had one-time assessments performed by consultants, or uses a website scanner, the keys to complete website vulnerability management are comprehensiveness and consistency.

To address the issues discussed in this article, security and development teams need to be able to identify vulnerabilities in development and production -- and fix them quickly, effciently. WhiteHat Security has the first and only service that provides a cost-effective, comprehensive, timely and accurate solution for complete website vulnerability management. 

WhiteHat Sentinel, our fagship service, is the only solution built today that integrates proprietary scanning technology with expert analysis to thoroughly identify both technical and business logic vulnerabilities on  production websites, the place where hackers enter a company.  

WhiteHat Sentinel employs the Software-as-a-Service model, so no investment in hardware, software or personnel is required. 

WhiteHat Sentinel offers continuous website assessments to ensure maximum coverage. It identifies 50% more vulnerabilities than scanning tools to ensure comprehensive assessments, and verifes all scanning results to eliminate false positives and provide only actionable information.

To discuss how WhiteHat technology can assist in your website security strategy, call Milestone Systems, Inc.