Upload
miguel-angel-molinero
View
223
Download
0
Embed Size (px)
Citation preview
8/2/2019 WP5myths1211
1/7
THE TOP FIVE MYTHS OF WEBSITE SECURITY
Plus Recommendations for Your Security Managers,Business Managers and Software Developers
December 2011Jeremiah Grossman
Founder and CTO, WhiteHat Security
A WHITEHAT SECURITY WHITEPAPER
8/2/2019 WP5myths1211
2/7
THE TOP FIVE MYTHS OF WEBSITE SECURITY | DECEMBER 2011
Introduction
Hackers share a common characteristic with water: It is both o their natures to ollow the path o least resistance.
Today the path o least resistance in the world o Web security leads over SSL (Secure Sockets Layer), because
theres nothing past the rewall to protect the website and all the inormation residing on it.
Heres a quick description o how hackers view the world: Using almost any browser and then perorming a ew simple
tricks, they can penetrate a website, access the credit card database, steal critical customer and even a companysintranet inormation without being seen and without leaving any trace.
Website Security Forces vs. International Hackers: An Ongoing Battle of Good vs. Evil
However, on the positive side, network rewalls and patch management are now standard practices, so overall network
perimeters have become increasingly more secure.
But hackers, in response to this increased level o security and always determined to stay a step ahead o Web
security proessionals have begun to attack websites directly. In act, the Gartner Group has reported that over
70% o cyber attacks now occur at the application layer. Even more alarming or companies with even the most basic
Internet presence is that WhiteHat Security is currently nding serious vulnerabilities on 8 o every 10 websites it
accesses.
Many o the website vulnerabilities discovered are well known, such as SQL Injection and Cross-Site Scripting, while
Insucient Authorization or Predictable Resource Location are less common methods o attack. Regardless o how
amiliar or unamiliar a particular vulnerability may be, they all pose serious security risks to almost any website.
Traditional Security Solutions Have Been Overtaken by New Methods of Attack
When securing a network, many security proessionals still think immediately o rewalls, SSL, Intrusion Detection, and
Anti-Virus as components that will eventually provide a complete solution to almost any security problem they must
resolve. And while it is true that these components improve certain aspects o security, their impact on protecting a
website is marginal. For instance, contrary to popular belie, deploying a network rewall will not prevent a hacker rompenetrating an unprotected opening in a website. To improve the security o the Web, we must dispel this and many
other widely held misconceptions. In other words, new vulnerabilities require new solutions.
However, beore presenting WhiteHats recommendations or resolving the new security problems that every company
with an Internet presence now aces, lets rst consider ve o the most common myths about website security.
1. A website that uses SSL is secure.
2. A rewall protects the website, so its sae rom hackers.
3. The vulnerability scanner did not report any website security issues, so its secure.
4. Website security is a developer problem.
5. We conduct annual security assessments on our website, so its secure.
And now lets examine each o these myths and discover whether there are any acts to support them.
8/2/2019 WP5myths1211
3/7
THE TOP FIVE MYTHS OF WEBSITE SECURITY | DECEMBER 2011
Figure 1.
Myth No. 1: Secure Socket Layer (SSL) Will Secure My Website
Regardless o what youve heard, and regardless o the authority o the person making a claim about the eectiveness
o SSL in providing website security, SSL cannot make any website secure.
The SSL security lock symbol located at the bottom o a Web browser simply indicates that the inormation sent to
and rom that website is encrypted. And that is all the symbol means. Once any inormation arrives and is stored on a
website, SSL has no ability to protect that inormation.
Its well established that websites using strong SSL have been hacked with the same requency as those that lack
SSL. In act, WhiteHat has ound that the use o SSL provides virtually no protection against hackers breaking into a
website and stealing its condential inormation.
At this point in the discussion o SSL capabilities, its important to understand what the lock symbol on a websites
home page represents in regards to the security level o that site and what it does not represent. SSL is simply an
encryption protocol that conrms to users o a website that the site is what it claims to be, rather than an impostersite eavesdropping on a conversation or monitoring a transaction. SSL also ensures that i someone intercepts any
exchange between a user and a website, that communication cannot be read.
However, SSL has absolutely no impact on website security nor on the manner in which a users private inormation is
saeguarded. Thats because private data stored on a website is at risk on the server level, and not in the connection.
Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit card information from
someone living in a cardboard box to someone living on a park bench.
Gene Spafford Ph.D.
Professor of Computer Sciences, Purdue University
8/2/2019 WP5myths1211
4/7
THE TOP FIVE MYTHS OF WEBSITE SECURITY | DECEMBER 2011
Myth No. 2: Firewalls Protect Against Website Attacks
While rewalls allow Web trac to pass through to a website, they lack the ability to protect the site itsel rom malicious
activity. For instance, the Web applications sotware that turns a website into an e-commerce bank, store, auction, credit
union, message board, etc., also makes websites vulnerable to attack regardless o whether a rewall is in place.
Traditionally, network security has been based on the idea o Letting the good guys in and keeping the bad guys out.
This type o security is based on the use o rewall ACLs (Access Control Lists). Basically, a securely congured ACLwill deny all trac entry to a network except or a permitted set o activities, such as Web trac and email. Given this
act, perorming a port scan o most websites will reveal port 80 open or http trac and port 443 oten open or
SSL trac. Generally speaking, the rewall blocks all other trac. This is both sensible and practical because, ater all,
no one rom the Internet needs to share your printer do they?
However, ater an ACL allows a visitor beyond the rewall and into the website, any security protections that are in place
become meaningless. And while the rewall has protected the printer, escorted email to its correct destination, and
allowed similar essential tasks to be completed, it also has allowed just about anyone anywhere in the world into the
website.
So although the rewall has successully done its job, there is a new security problem the website itsel. And then the
question becomes: How do you give everyone access to your websites, and then make sure they are legitimate visitors?
Myth No. 3: Network Vulnerability Scanners Protect My Website
Beginning in the early 1990s with SATAN (Security Administrator Tool or Analyzing Networks), system administrators
and security proessionals have used vulnerability scanners to identiy well-known network security faws. The idea
was that ater resolving all o the reported security issues, the website should then be secure enough to be placed on
the Internet. However, vulnerability scanners ailed then and still ail to measure the security o any custom Web
applications running on the Web server. And these applications are precisely the applications most likely to be the least
secure!
How Vulnerability Scanners Work and Fail to Work
Vulnerability scanners nd security problems by transmitting specially crated network trac to target servers andthen collecting the responses. These responses are then analyzed and compared to thousands o well-known security
vulnerability signatures, also known as checks. When a scanner nds a match between a check and a collected
response, the scanner reports the nding as a security issue. The latest vulnerability scanners now achieve over 90%
accuracy.
Figure 2.
8/2/2019 WP5myths1211
5/7
THE TOP FIVE MYTHS OF WEBSITE SECURITY | DECEMBER 2011
However, because there are no well-known security issues present in custom-written Web code, even these newest
scanners completely miss any vulnerabilities present on the Web application layer. And statistically speaking, while
there are security issues present on just about every website, the problems remain unidentied until someone looks
specically or them.
Finding and identiying the security problems are less problematic or the small percentage o organizations that run
their websites using the same o-the-shel sotware. However, most organizations build their websites using custom
code. So what does this mean or owners o custom-built websites that must be secure rom attacks?
Basically, any owner o a website requiring thorough security must understand three acts:
Fact No. 1 The average Web application in use today is woeully insecure.
Fact No. 2 A network vulnerability security scanner is incapable o identiying faws other than those within its
signature database.
Fact No. 3 While a typical o-the-shel vulnerability scanner would likely give most websites an all clear or
thumbs-up report, just ve minutes later a WhiteHat Security expert could nd a way to directly query the back-
end database and obtain customer credit card numbers rom the supposedly vulnerability-ree site.
Myth No. 4: Website Vulnerabilities Are the Developers Fault
Although its easy to blame Web developers or website security ailures, the criticism is unair. Many actors beyond
the control o developers contribute to the insecurity o Web sotware. For example, source code oten originates rom
a variety o providers, rather than only rom an in-house development team. Or a company might intermingle its existing
code with new code developed by an oshore rm. Then again, perhaps a patch rom a commercial vendor has been
applied to dependent system libraries. Or a developer may even use example or open-source code directly rom the
Web.
Clearly, its never known whether the entire code base or a sotware project is unique; or that a website will remain
sae and secure ater codes rom dierent sources are combined and begin to interact. And nally, were all aware o
the all-too-common problem that occurs when deadlines approach: It becomes necessary to rush projects and/or take
shortcuts that almost always lead to errors in the code.
What i? Multiplied.
Given how common the situations described above have become, lets imagine that two developers at the same
company independently create two completely secure sotware modules. The modules are secure in and o themselves,
but when they interact they create serious security issues. Now, multiply this situation based on tens o thousands, or
hundreds o thousands, or even millions o lines o code interacting. The likelihood o a security loophole in business
logic not occurring is almost zero.
O course, realistically, sotware will always have bugs. In any type o computing, we experience this problem in a
matter-o-act manner every day. And when you think about it, security vulnerabilities are merely another type o bug. So
training your developers to write secure code indeed can make a signicant improvement in code quality.
But its still essential to remember that training developers to write secure code does not necessarily mean the code
they write will be secure. Because there is simply no way to absolutely prove that any particular piece o sotware is
secure and bug-ree. Its an uncontested act that everyone who develops code will make mistakes. And that some othose mistakes will remain buried and undiscovered or years.
So what every security proessional must remember is that business logic reviews have to become a key component o
any Web application security strategy.
8/2/2019 WP5myths1211
6/7
8/2/2019 WP5myths1211
7/7
WhiteHat Security, Inc. | 3003 Bunker Hill Lane | Santa Clara, CA 95054 408.343.8300 | www.whitehatsec.com
Copyright 2011 WhiteHat Security, Inc. | Product names or brands used in this publication are for identication purposeonly and may be trademarks of their respective companies. 120111
About the Author
Jeremiah Grossman is the
Founder and Chief Technology
Ofcer of WhiteHat Security,
where he is responsible for
Web security R&D and industry
evangelism. Mr. Grossman has
authored dozens of articles andwhite papers, credited with the discovery
of many cutting-edge attack and defensive
techniques, and is a co-author of XSS
Attacks: Cross Site Scripting Exploits and
Defense. His work has been featured in the
Wall Street Journal, NY Times, USA Today,
Washington Post, NBC News, and many
other mainstream media outlets.
As a well-known security expert and industry
veteran, Mr. Grossman has been a guest
speaker at hundreds of international events
including BlackHat Briengs, OWASP, RSA,ISSA, SANS, Microsofts Blue Hat, and many
others. Mr. Grossman is also a co-founder
of the Web Application Security Consortium
(WASC) and previously named one of
InfoWorlds Top 25 CTOs.
Before founding WhiteHat, Mr. Grossman
was an information security ofcer at Yahoo!,
where he was responsible for performing
security reviews on hundreds of the
companys websites.
About WhiteHat Security, Inc.
Headquartered in Santa Clara, California,
WhiteHat Security is the leading provider
of website risk management solutions that
protect critical data, ensure compliance
and narrow the window of risk. WhiteHat
Sentinel, the companys agship product
family, is the most accurate, complete
and cost-effective website vulnerability
management solution available. It delivers
the visibility, exibility, and control
that organizations need to prevent Web
attacks. Furthermore, WhiteHat Sentinel
enables automated mitigation of website
vulnerabilities via integration with Web
application rewalls. To learn more about
WhiteHat Security, please visit our website at
www.whitehatsec.com.
The WhiteHat Sentinel Service
Scalable to Fit Any Environment
WhiteHat Sentinel is built to scale and assess 100, 1,000 even 10,000+ o
even the largest, most complex websites simultaneously. Were talking maximum
coverage o sites in QA/development and production environments without
impacting perormance.
Visibility Into Risk Across The Enterprise From A Single Platform
Since its a SaaS-based platorm, WhiteHat Sentinel is a completely turnkey
solution. No other solution is as easy to deploy, easy to manage or as cost-eective.
Or as comprehensive. Now, you can manage all your website security through a
single, easy-to-use-platorm.
Expert Risk Management Services From The TRC
WhiteHats Threat Research Center (TRC):
VerieseveryvulnerabilitythatSentinelnds
Performsbusinesslogictesting,whichisimpossibletoautomate
Servesasanextensionofyourownwebsitesecurityteam
That means you can ocus on your technology and business goals instead o
website security headaches & hassles.
A Higher Level of Accuracy & Speed
Every service delivered by WhiteHat includes ull vulnerability verication by the
Threat Research Center (TRC), which veries the accuracy o all vulnerabilities,
virtually eliminating alse positives and dramatically simpliying remediation. Whats
more, the TRC also requently operates as an extension o your security team. The
TRC engineers are available to answer questions about a vulnerability, or to provide
Proo-o-Concept guidance on how a vulnerability can be exploited, or instance.
Companies large and small value the act that the TRC is the place you can callto get a live person who can oer expert analysis and guidance on your website
security environment.