Professional Documents
Culture Documents
Pa g e 1
APRIL 2006
Jeremiah Grossman
A W H I T E H A T S E C U R I T Y W H I T E P A P E R
C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 2
Introduction
Phishing schemes. Stolen credit card numbers. Identity theft. Web applications have
emerged as the target of choice for money hungry hackers. Attacks have moved from
the network to the everyday web applications that people use to manage their lives—
online shopping and banking, healthcare information management, insurance
payments, travel booking and college applications.
The ramifications for companies are clear--loss of data, loss of consumer confidence
and loss of brand integrity. No company can afford the black mark of a website
hack. With many states mandating full disclosure, and the federal government close
behind with its own efforts, the luxury of keeping these incidents behind closed doors
has passed. Organizations must develop a strategy for web application security.
How can companies prevent these attacks? The first step is to understand the
fundamentals. This white paper will examine ten vital web application security issues
that affect software developers and information security professionals. Grasping
these points will enable companies to understand the scope of the problem, and
establish realistic approaches for securing websites. Consider these ten points a
springboard for further exploration of web application security so that your
organization and customers can avoid being victimized.
From a security perspective, firewalls and SSL offer little protection. Web traffic often
contains attacks such as Cross-Site Scripting and SQL Injection that enter through Port
80 and are not blocked by the firewall. Contrary to a popular market misconception,
SSL is not capable of securing a website, but instead is tasked with safeguarding data
in transit. Once data is on the web server, it can be compromised whether or not SSL
is in use.
Web application security is a specialized practice that focuses solely on the custom
applications that sit on corporate web servers. Network scanning covers packaged,
off-the-shelf applications. Applications developed in-house need custom security to
fend off the attacks that bypass the network perimeter.
C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 3
WhiteHat Security assesses the security of some of the largest and most visible
websites in the e-commerce, financial services, and healthcare industries. Based on the
aggregate data of thousands of website assessments, we‘ve determined that over
80% of websites have vulnerabilities. These vulnerabilities enable a hacker to access
customer account data, execute administrative level functions, defraud the business, or
halt operations, all serious business impacts.
• Data Format: Only accept data containing the proper format. If an email
address is expected, only letters, numbers, at symbol, dashes, and dots in the
proper arrangement should be accepted. This includes enforcing minimum and
maximum length restrictions on all incoming data. The technique should be
used for account numbers, session credentials, usernames, etc. This limits the
potential entry points for incoming attacks.
C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 4
It is difficult, if not impossible, to keep production systems and quality assurance (QA)
systems in perfect sync. This presents a unique challenge to developers and security
professionals. WhiteHat routinely identifies forgotten backup files, debug code, logic
flaws, and configuration differences between various systems. Based on our
experience, WhiteHat recommends assessments be performed both before and after
new code is released. This policy ensures when the rubber meets the road, you’re
protected.
C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 5
Push now or die is the mantra. And the addition of even the smallest piece of code
could negatively impact the overall security of a website. To maintain control,
organizations must create a process or find an expert to identify vulnerabilities so that
they can be resolved.
Many companies perform quarterly or annual web application assessments, yet like
many WhiteHat customers, they push new code once a week. That’s like opening up
access to a company’s data for most of the year. Knowledge is power in the
vulnerability management arena. If developers and the security team know the risk
they’re facing they can prioritize remediation and avoid a potential disaster.
7. Websites Accepting Credit Cards Need Web Assessments for Industry Compliance
The Payment Card Industry Data Security Standard (PCI), co-developed by VISA and
MasterCard, is designed to ensure the security of cardholder data across its merchant
websites. PCI defines a set of requirements for how cardholder information is to be
protected and how compliance is to be assured.
PCI requires merchants to have their publicly facing networks and websites tested
every 3 months by a certified vendor. PCI compliance assures merchants and the
credit card brands that no serious vulnerabilities are present and consumers can shop
with confidence.
Even if your company does not retain cardholder data, the standard applies. Most
likely, you are guarding sensitive customer information like user names and
passwords, social security numbers, healthcare information, etc. The price of non-
compliance can be steep, ranging from large fines to revocation of VISA or
MasterCard privileges. Imagine the devastating impact on an e-commerce website
that can no longer accept VISA or MasterCard payments.
C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 6
Given that, expect your custom web application code to have vulnerabilities. That’s
not the problem. The issue is to be aware of and repair those vulnerabilities before an
incident occurs. We advocate using tools to assess your web applications throughout
the development cycle. Source code scanners can be very helpful to developers to
identify specific problems.
The key is to understand that these tools are only valuable in conjunction with a
security oversight program for production web applications. WhiteHat’s customers
are among the most security-conscious enterprises in e-commerce, financial services
and healthcare. They understand that even the most diligent development team can
produce vulnerable code. The mistake many companies make is to expect the opposite
and jeopardize their security.
The best way to obtain that information is to conduct comprehensive assessments of all
web applications as often as the code changes. For WhiteHat customers, that is
typically once a week. It is also critical to understand that no scanner can identify all
24 classes of attack. Scanners can find technical vulnerabilities, those coding errors
that can enable attacks like SQL Injection, cross-site scripting, and others. However,
C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com
Te n T h i n g s You S h ou ld Kn ow a b ou t We b A p p li c a t i on S e c u r i t y! ! ! ! Pa g e 7
Conclusion
Of course, there are hundreds of things to know about web application security, not
ten. We’ve illuminated ten points to assist companies in creating a web application
security strategy that works. Whether a company is evaluating web application
security for the first time, has had one-time assessments performed by consultants, or
uses a web application vulnerability scanner, the keys to effective web application
security are comprehensiveness and consistency. To address the issues discussed in
this white paper, the security and development teams need to be able to identify
vulnerabilities in development and production and fix them efficiently.
WhiteHat Security is the first and only company that provides a cost-effective,
comprehensive, timely and accurate solution for web application vulnerability
assessment and management. WhiteHat Sentinel, our flagship service, is the only
solution today built to scan production websites, the place where hackers enter a
company. No investment in hardware, software or personnel is required. WhiteHat
Sentinel offers continuous website assessment to ensure maximum coverage, identifies
50% more vulnerabilities than scanning tools to ensure comprehensive assessments,
and verifies all scanning results to eliminate false positives and provide only
actionable information to customers. WhiteHat Sentinel enables companies to find the
holes in their websites before hackers do.
###
FOR MORE INFORMATION ABOUT WHITEHAT SECURITY, PLEASE CALL 408.492.1817 OR VISIT OUR
WEBSITE, WWW.WHITEHATSEC.COM
C o p y r i g h t © 2 0 0 6 w h i t e h a t s e c u r i t y - www.whitehatsec.com