Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! !

Pa g e 1

TEN THINGS YOU SHOULD KNOW

ABOUT WEB APPLICATION SECURITY

APRIL 2006

Jeremiah Grossman

Founder and CTO, WhiteHat Security

A W H I T E H A T S E C U R I T Y W H I T E P A P E R

C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 2

Introduction
Phishing schemes. Stolen credit card numbers. Identity theft. Web applications have
emerged as the target of choice for money hungry hackers. Attacks have moved from
the network to the everyday web applications that people use to manage their lives—
online shopping and banking, healthcare information management, insurance
payments, travel booking and college applications.

The ramifications for companies are clear--loss of data, loss of consumer confidence
and loss of brand integrity. No company can afford the black mark of a website
hack. With many states mandating full disclosure, and the federal government close
behind with its own efforts, the luxury of keeping these incidents behind closed doors
has passed. Organizations must develop a strategy for web application security.

How can companies prevent these attacks? The first step is to understand the
fundamentals. This white paper will examine ten vital web application security issues
that affect software developers and information security professionals. Grasping
these points will enable companies to understand the scope of the problem, and
establish realistic approaches for securing websites. Consider these ten points a
springboard for further exploration of web application security so that your
organization and customers can avoid being victimized.

Ten Things You Should Know About Web Application Security

1. The Network Perimeter is Vanishing
Companies can no longer tout a locked down perimeter as the ultimate defense.
Hundreds of millions of people worldwide use the Internet to bank, shop, purchase
goods and services, and perform research. With each transaction, private
information, including names, addresses, phone numbers, credit/debit card numbers,
and passwords, is routinely transferred and stored in a variety of locations. To enable
this flow of information, organizations must open up their firewalls, the very devices
once thought to offer impenetrable protection. Billions of dollars and millions of
personal identities and private information are exposed to hackers who find their way
in through security vulnerabilities in web applications.

From a security perspective, firewalls and SSL offer little protection. Web traffic often
contains attacks such as Cross-Site Scripting and SQL Injection that enter through Port
80 and are not blocked by the firewall. Contrary to a popular market misconception,
SSL is not capable of securing a website, but instead is tasked with safeguarding data
in transit. Once data is on the web server, it can be compromised whether or not SSL
is in use.

Web application security is a specialized practice that focuses solely on the custom
applications that sit on corporate web servers. Network scanning covers packaged,
off-the-shelf applications. Applications developed in-house need custom security to
fend off the attacks that bypass the network perimeter.

C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 3

2. Over 80% of Websites have Security Vulnerabilities

Consider the fact that 8 out of 10 websites visited each day have a serious security
vulnerability that puts corporate and customer data at risk. Add to that the
irreparable harm done to a company whose brand is compromised by a publicized
attack. It’s a call to action for any company doing business on the Web.

WhiteHat Security assesses the security of some of the largest and most visible
websites in the e-commerce, financial services, and healthcare industries. Based on the
aggregate data of thousands of website assessments, we‘ve determined that over
80% of websites have vulnerabilities. These vulnerabilities enable a hacker to access
customer account data, execute administrative level functions, defraud the business, or
halt operations, all serious business impacts.

Website vulnerabilities fall into twenty-four classes, as determined by the Web

Application Security Consortium. Within those classes, there are vulnerabilities from
the common, like SQL Injection and Cross-Site Scripting to the obscure, like Abuse of
Functionality and Insufficient Process Validation. The most important thing to
remember here is that when you’re talking about custom application vulnerabilities,
they will be unique to your website. And, it takes a joint effort between the
development and security teams to identify and resolve issues.

3. Faulty Input Validation is the Leading Cause of Web Application Vulnerabilities

User-supplied input must never be trusted, or more specifically, used, unless data
integrity is first validated. User-supplied input includes query strings, post data,
cookies, referers, and other information not originating from the website. This is the
most important lesson for developers to learn in creating solid web application code.
No other defense is a substitute. We’ve seen that by following a few simple
guidelines, security and code quality can be improved many times over.

Guidelines for User-Supplied Input

• Character-set: Only accept data containing a strictly limited and expected set
of characters. If a number is expected, only accept digits. If a word, only
letters.

• Data Format: Only accept data containing the proper format. If an email
address is expected, only letters, numbers, at symbol, dashes, and dots in the
proper arrangement should be accepted. This includes enforcing minimum and
maximum length restrictions on all incoming data. The technique should be
used for account numbers, session credentials, usernames, etc. This limits the
potential entry points for incoming attacks.

• Escaping: All special characters from incoming data should be escaped to

remove an additional programmatic meaning.

C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 4

4. Defense-in-Depth Protection is Necessary

As we’ve seen too often in the news, even companies with vast resources and large
security teams can fall prey to hackers. If these high-profile organizations still fall
short, how does the average online business protect itself or its customers? The answer
is Defense-in-Depth.

Defense-in-Depth is a practical approach to information security that the industry has

come to rely upon. The fundamental concept is that there should be multiple layers of
security protecting your assets. Layers of security include input validation, database
layer abstraction, server configuration, proxies, web application firewalls, data
encryption, OS hardening, etc. Once in place it is necessary to frequently test the
security of those layers. The reasoning behind Defense-in-Depth is that if any layer is
breached, there is another layer in place preventing compromise. With defense-in-
depth, the risks associated with security lapses are significantly mitigated.

5. Many Vulnerabilities in Production Sites Do Not Originate in Development Code

One approach to identifying security vulnerabilities in software is to examine the code
for risk-prone operations prior to deployment. While the process is valuable, this
alone does not provide a timely or complete picture of security. The execution
structure of the code might not be apparent and functionality interplay with other
parts of a web application might introduce new vulnerabilities. The more complex the
system is, the greater the odds that a vulnerability will be missed.

It is difficult, if not impossible, to keep production systems and quality assurance (QA)
systems in perfect sync. This presents a unique challenge to developers and security
professionals. WhiteHat routinely identifies forgotten backup files, debug code, logic
flaws, and configuration differences between various systems. Based on our
experience, WhiteHat recommends assessments be performed both before and after
new code is released. This policy ensures when the rubber meets the road, you’re
protected.

Companies cannot risk exposure by missing production vulnerabilities. Hackers find

their way in through production sites. Production sites must receive at least the same,
but preferably more extensive security reviews than the development/QA sites.

6. When Web Application Code is Updated, Security must be Assessed

The fast-paced world of online business requires organizations to constantly develop
new web-based promotions, products, and services to attract customers. This creates a
high-pressure environment for developers responsible for new web application code.

C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 5

Push now or die is the mantra. And the addition of even the smallest piece of code
could negatively impact the overall security of a website. To maintain control,
organizations must create a process or find an expert to identify vulnerabilities so that
they can be resolved.

Many companies perform quarterly or annual web application assessments, yet like
many WhiteHat customers, they push new code once a week. That’s like opening up
access to a company’s data for most of the year. Knowledge is power in the
vulnerability management arena. If developers and the security team know the risk
they’re facing they can prioritize remediation and avoid a potential disaster.

For example, cross-site scripting, once thought of as a medium-severity vulnerability by

many companies, has started to turn heads. By far the most prevalent website
vulnerability in WhiteHat’s experience, cross-site scripting has received newfound
attention because of a new generation of viruses and worms capable of propagating
at rates unheard of even a few years ago. A cross-site scripting worm shut down
MySpace.com, the 32-million user social networking site for 24 hours. The lost
revenue and customer confidence were only part of the impact. It served as a wake-
up call for the industry. Once identified, cross-site scripting is easily eliminated from a
site. The trick is to know that it’s there.

7. Websites Accepting Credit Cards Need Web Assessments for Industry Compliance
The Payment Card Industry Data Security Standard (PCI), co-developed by VISA and
MasterCard, is designed to ensure the security of cardholder data across its merchant
websites. PCI defines a set of requirements for how cardholder information is to be
protected and how compliance is to be assured.

PCI requires merchants to have their publicly facing networks and websites tested
every 3 months by a certified vendor. PCI compliance assures merchants and the
credit card brands that no serious vulnerabilities are present and consumers can shop
with confidence.

Even if your company does not retain cardholder data, the standard applies. Most
likely, you are guarding sensitive customer information like user names and
passwords, social security numbers, healthcare information, etc. The price of non-
compliance can be steep, ranging from large fines to revocation of VISA or
MasterCard privileges. Imagine the devastating impact on an e-commerce website
that can no longer accept VISA or MasterCard payments.

C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 6

8. All Software has Flaws

The awful truth is that all software has bugs and all systems have weaknesses. This is
the reality of software no matter how robust our architecture designs, no matter how
intensive our quality assurance process. Even Microsoft’s “Trustworthy Computing”
and Oracle’s “Unbreakable” campaigns have been unable to achieve anything close
to 100% secure code.

Given that, expect your custom web application code to have vulnerabilities. That’s
not the problem. The issue is to be aware of and repair those vulnerabilities before an
incident occurs. We advocate using tools to assess your web applications throughout
the development cycle. Source code scanners can be very helpful to developers to
identify specific problems.

The key is to understand that these tools are only valuable in conjunction with a
security oversight program for production web applications. WhiteHat’s customers
are among the most security-conscious enterprises in e-commerce, financial services
and healthcare. They understand that even the most diligent development team can
produce vulnerable code. The mistake many companies make is to expect the opposite
and jeopardize their security.

9. Resolving Web Application Security Issues Requires Updates to Custom Code

While on the surface, everyone understands that network vulnerabilities differ from
web application vulnerabilities, it becomes even more apparent when we examine the
work required to remediate them. Most security professionals are familiar with the
patches available for network vulnerabilities. However, a key difference in web
application security is that each vulnerability fix requires updates to custom code.
And, continuing with this line of thinking, it follows that each repair requires a code
push that could introduce another vulnerability. So, while there may be fewer web
application vulnerabilities, the means of remediation is more complex. Therefore, it is
imperative to continuously assess the impact of each fix to maintain secure
applications.

10. Comprehensive Assessments Require Scanning and Expert Testing Methodology

As mentioned earlier, the Web Application Security Consortium has established a
threat classification of 24 classes of web application attacks. These are the means that
hackers use to access corporate web applications every day. IT security teams need a
consistent flow of information to assess their risk posture and successfully defend
against attacks.

The best way to obtain that information is to conduct comprehensive assessments of all
web applications as often as the code changes. For WhiteHat customers, that is
typically once a week. It is also critical to understand that no scanner can identify all
24 classes of attack. Scanners can find technical vulnerabilities, those coding errors
that can enable attacks like SQL Injection, cross-site scripting, and others. However,

C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 7

logical vulnerabilities, those errors that require a contextual evaluation, and

manipulate application business logic resulting in false account creation, user
impersonation and unauthorized funds transfer, among others, require a security
expert for validation. These logical flaws include insufficient authorization, insufficient
authentication and abuse of functionality. The most effective method for identifying
both technical and logical vulnerabilities is the combination of automated testing and
expert analysis on a continuous basis.

Conclusion
Of course, there are hundreds of things to know about web application security, not
ten. We’ve illuminated ten points to assist companies in creating a web application
security strategy that works. Whether a company is evaluating web application
security for the first time, has had one-time assessments performed by consultants, or
uses a web application vulnerability scanner, the keys to effective web application
security are comprehensiveness and consistency. To address the issues discussed in
this white paper, the security and development teams need to be able to identify
vulnerabilities in development and production and fix them efficiently.

WhiteHat Security is the first and only company that provides a cost-effective,
comprehensive, timely and accurate solution for web application vulnerability
assessment and management. WhiteHat Sentinel, our flagship service, is the only
solution today built to scan production websites, the place where hackers enter a
company. No investment in hardware, software or personnel is required. WhiteHat
Sentinel offers continuous website assessment to ensure maximum coverage, identifies
50% more vulnerabilities than scanning tools to ensure comprehensive assessments,
and verifies all scanning results to eliminate false positives and provide only
actionable information to customers. WhiteHat Sentinel enables companies to find the
holes in their websites before hackers do.

###

About the Author

Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security, where
he is responsible for web application security R&D and industry evangelism. As an industry
veteran and well-known security expert, Mr. Grossman is a frequent international conference
speaker at the BlackHat Briefings, ISSA, ISACA, NASA, and many other industry events. Mr.
Grossman's research, writings, and discoveries have been featured in USA Today, VAR
Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Mr. Grossman is also a
founder of the Web Application Security Consortium (WASC), as well as a contributing
member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr.
Grossman was an information security officer at Yahoo!, responsible for performing security
reviews on the company's hundreds of websites

FOR MORE INFORMATION ABOUT WHITEHAT SECURITY, PLEASE CALL 408.492.1817 OR VISIT OUR
WEBSITE, WWW.WHITEHATSEC.COM

C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com