WP5myths1211

8/2/2019 WP5myths1211

1/7

THE TOP FIVE MYTHS OF WEBSITE SECURITY

Plus Recommendations for Your Security Managers,Business Managers and Software Developers

December 2011Jeremiah Grossman

Founder and CTO, WhiteHat Security

A WHITEHAT SECURITY WHITEPAPER

8/2/2019 WP5myths1211

2/7

THE TOP FIVE MYTHS OF WEBSITE SECURITY | DECEMBER 2011

Introduction

Hackers share a common characteristic with water: It is both o their natures to ollow the path o least resistance.

Today the path o least resistance in the world o Web security leads over SSL (Secure Sockets Layer), because

theres nothing past the rewall to protect the website and all the inormation residing on it.

Heres a quick description o how hackers view the world: Using almost any browser and then perorming a ew simple

tricks, they can penetrate a website, access the credit card database, steal critical customer and even a companysintranet inormation without being seen and without leaving any trace.

Website Security Forces vs. International Hackers: An Ongoing Battle of Good vs. Evil

However, on the positive side, network rewalls and patch management are now standard practices, so overall network

perimeters have become increasingly more secure.

But hackers, in response to this increased level o security and always determined to stay a step ahead o Web

security proessionals have begun to attack websites directly. In act, the Gartner Group has reported that over

70% o cyber attacks now occur at the application layer. Even more alarming or companies with even the most basic

Internet presence is that WhiteHat Security is currently nding serious vulnerabilities on 8 o every 10 websites it

accesses.

Many o the website vulnerabilities discovered are well known, such as SQL Injection and Cross-Site Scripting, while

Insucient Authorization or Predictable Resource Location are less common methods o attack. Regardless o how

amiliar or unamiliar a particular vulnerability may be, they all pose serious security risks to almost any website.

Traditional Security Solutions Have Been Overtaken by New Methods of Attack

When securing a network, many security proessionals still think immediately o rewalls, SSL, Intrusion Detection, and

Anti-Virus as components that will eventually provide a complete solution to almost any security problem they must

resolve. And while it is true that these components improve certain aspects o security, their impact on protecting a

website is marginal. For instance, contrary to popular belie, deploying a network rewall will not prevent a hacker rompenetrating an unprotected opening in a website. To improve the security o the Web, we must dispel this and many

other widely held misconceptions. In other words, new vulnerabilities require new solutions.

However, beore presenting WhiteHats recommendations or resolving the new security problems that every company

with an Internet presence now aces, lets rst consider ve o the most common myths about website security.

1. A website that uses SSL is secure.

2. A rewall protects the website, so its sae rom hackers.

3. The vulnerability scanner did not report any website security issues, so its secure.

4. Website security is a developer problem.

5. We conduct annual security assessments on our website, so its secure.

And now lets examine each o these myths and discover whether there are any acts to support them.

8/2/2019 WP5myths1211

3/7


Figure 1.

Myth No. 1: Secure Socket Layer (SSL) Will Secure My Website

Regardless o what youve heard, and regardless o the authority o the person making a claim about the eectiveness

o SSL in providing website security, SSL cannot make any website secure.

The SSL security lock symbol located at the bottom o a Web browser simply indicates that the inormation sent to

and rom that website is encrypted. And that is all the symbol means. Once any inormation arrives and is stored on a

website, SSL has no ability to protect that inormation.

Its well established that websites using strong SSL have been hacked with the same requency as those that lack

SSL. In act, WhiteHat has ound that the use o SSL provides virtually no protection against hackers breaking into a

website and stealing its condential inormation.

At this point in the discussion o SSL capabilities, its important to understand what the lock symbol on a websites

home page represents in regards to the security level o that site and what it does not represent. SSL is simply an

encryption protocol that conrms to users o a website that the site is what it claims to be, rather than an impostersite eavesdropping on a conversation or monitoring a transaction. SSL also ensures that i someone intercepts any

exchange between a user and a website, that communication cannot be read.

However, SSL has absolutely no impact on website security nor on the manner in which a users private inormation is

saeguarded. Thats because private data stored on a website is at risk on the server level, and not in the connection.

Using encryption on the Internet is the equivalent of arranging

an armored car to deliver credit card information from

someone living in a cardboard box to someone living on a park bench.

Gene Spafford Ph.D.

Professor of Computer Sciences, Purdue University

8/2/2019 WP5myths1211

4/7


Myth No. 2: Firewalls Protect Against Website Attacks

While rewalls allow Web trac to pass through to a website, they lack the ability to protect the site itsel rom malicious

activity. For instance, the Web applications sotware that turns a website into an e-commerce bank, store, auction, credit

union, message board, etc., also makes websites vulnerable to attack regardless o whether a rewall is in place.

Traditionally, network security has been based on the idea o Letting the good guys in and keeping the bad guys out.

This type o security is based on the use o rewall ACLs (Access Control Lists). Basically, a securely congured ACLwill deny all trac entry to a network except or a permitted set o activities, such as Web trac and email. Given this

act, perorming a port scan o most websites will reveal port 80 open or http trac and port 443 oten open or

SSL trac. Generally speaking, the rewall blocks all other trac. This is both sensible and practical because, ater all,

no one rom the Internet needs to share your printer do they?

However, ater an ACL allows a visitor beyond the rewall and into the website, any security protections that are in place

become meaningless. And while the rewall has protected the printer, escorted email to its correct destination, and

allowed similar essential tasks to be completed, it also has allowed just about anyone anywhere in the world into the

website.

So although the rewall has successully done its job, there is a new security problem the website itsel. And then the

question becomes: How do you give everyone access to your websites, and then make sure they are legitimate visitors?

Myth No. 3: Network Vulnerability Scanners Protect My Website

Beginning in the early 1990s with SATAN (Security Administrator Tool or Analyzing Networks), system administrators

and security proessionals have used vulnerability scanners to identiy well-known network security faws. The idea

was that ater resolving all o the reported security issues, the website should then be secure enough to be placed on

the Internet. However, vulnerability scanners ailed then and still ail to measure the security o any custom Web

applications running on the Web server. And these applications are precisely the applications most likely to be the least

secure!

How Vulnerability Scanners Work and Fail to Work

Vulnerability scanners nd security problems by transmitting specially crated network trac to target servers andthen collecting the responses. These responses are then analyzed and compared to thousands o well-known security

vulnerability signatures, also known as checks. When a scanner nds a match between a check and a collected

response, the scanner reports the nding as a security issue. The latest vulnerability scanners now achieve over 90%

accuracy.

Figure 2.

8/2/2019 WP5myths1211

5/7


However, because there are no well-known security issues present in custom-written Web code, even these newest

scanners completely miss any vulnerabilities present on the Web application layer. And statistically speaking, while

there are security issues present on just about every website, the problems remain unidentied until someone looks

specically or them.

Finding and identiying the security problems are less problematic or the small percentage o organizations that run

their websites using the same o-the-shel sotware. However, most organizations build their websites using custom

code. So what does this mean or owners o custom-built websites that must be secure rom attacks?

Basically, any owner o a website requiring thorough security must understand three acts:

Fact No. 1 The average Web application in use today is woeully insecure.

Fact No. 2 A network vulnerability security scanner is incapable o identiying faws other than those within its

signature database.

Fact No. 3 While a typical o-the-shel vulnerability scanner would likely give most websites an all clear or

thumbs-up report, just ve minutes later a WhiteHat Security expert could nd a way to directly query the back-

end database and obtain customer credit card numbers rom the supposedly vulnerability-ree site.

Myth No. 4: Website Vulnerabilities Are the Developers Fault

Although its easy to blame Web developers or website security ailures, the criticism is unair. Many actors beyond

the control o developers contribute to the insecurity o Web sotware. For example, source code oten originates rom

a variety o providers, rather than only rom an in-house development team. Or a company might intermingle its existing

code with new code developed by an oshore rm. Then again, perhaps a patch rom a commercial vendor has been

applied to dependent system libraries. Or a developer may even use example or open-source code directly rom the

Web.

Clearly, its never known whether the entire code base or a sotware project is unique; or that a website will remain

sae and secure ater codes rom dierent sources are combined and begin to interact. And nally, were all aware o

the all-too-common problem that occurs when deadlines approach: It becomes necessary to rush projects and/or take

shortcuts that almost always lead to errors in the code.

What i? Multiplied.

Given how common the situations described above have become, lets imagine that two developers at the same

company independently create two completely secure sotware modules. The modules are secure in and o themselves,

but when they interact they create serious security issues. Now, multiply this situation based on tens o thousands, or

hundreds o thousands, or even millions o lines o code interacting. The likelihood o a security loophole in business

logic not occurring is almost zero.

O course, realistically, sotware will always have bugs. In any type o computing, we experience this problem in a

matter-o-act manner every day. And when you think about it, security vulnerabilities are merely another type o bug. So

training your developers to write secure code indeed can make a signicant improvement in code quality.

But its still essential to remember that training developers to write secure code does not necessarily mean the code

they write will be secure. Because there is simply no way to absolutely prove that any particular piece o sotware is

secure and bug-ree. Its an uncontested act that everyone who develops code will make mistakes. And that some othose mistakes will remain buried and undiscovered or years.

So what every security proessional must remember is that business logic reviews have to become a key component o

any Web application security strategy.

8/2/2019 WP5myths1211

6/7

8/2/2019 WP5myths1211

7/7

WhiteHat Security, Inc. | 3003 Bunker Hill Lane | Santa Clara, CA 95054 408.343.8300 | www.whitehatsec.com

Copyright 2011 WhiteHat Security, Inc. | Product names or brands used in this publication are for identication purposeonly and may be trademarks of their respective companies. 120111

About the Author

Jeremiah Grossman is the

Founder and Chief Technology

Ofcer of WhiteHat Security,

where he is responsible for

Web security R&D and industry

evangelism. Mr. Grossman has

authored dozens of articles andwhite papers, credited with the discovery

of many cutting-edge attack and defensive

techniques, and is a co-author of XSS

Attacks: Cross Site Scripting Exploits and

Defense. His work has been featured in the

Wall Street Journal, NY Times, USA Today,

Washington Post, NBC News, and many

other mainstream media outlets.

As a well-known security expert and industry

veteran, Mr. Grossman has been a guest

speaker at hundreds of international events

including BlackHat Briengs, OWASP, RSA,ISSA, SANS, Microsofts Blue Hat, and many

others. Mr. Grossman is also a co-founder

of the Web Application Security Consortium

(WASC) and previously named one of

InfoWorlds Top 25 CTOs.

Before founding WhiteHat, Mr. Grossman

was an information security ofcer at Yahoo!,

where he was responsible for performing

security reviews on hundreds of the

companys websites.

About WhiteHat Security, Inc.

Headquartered in Santa Clara, California,

WhiteHat Security is the leading provider

of website risk management solutions that

protect critical data, ensure compliance

and narrow the window of risk. WhiteHat

Sentinel, the companys agship product

family, is the most accurate, complete

and cost-effective website vulnerability

management solution available. It delivers

the visibility, exibility, and control

that organizations need to prevent Web

attacks. Furthermore, WhiteHat Sentinel

enables automated mitigation of website

vulnerabilities via integration with Web

application rewalls. To learn more about

WhiteHat Security, please visit our website at

www.whitehatsec.com.

The WhiteHat Sentinel Service

Scalable to Fit Any Environment

WhiteHat Sentinel is built to scale and assess 100, 1,000 even 10,000+ o

even the largest, most complex websites simultaneously. Were talking maximum

coverage o sites in QA/development and production environments without

impacting perormance.

Visibility Into Risk Across The Enterprise From A Single Platform

Since its a SaaS-based platorm, WhiteHat Sentinel is a completely turnkey

solution. No other solution is as easy to deploy, easy to manage or as cost-eective.

Or as comprehensive. Now, you can manage all your website security through a

single, easy-to-use-platorm.

Expert Risk Management Services From The TRC

WhiteHats Threat Research Center (TRC):

VerieseveryvulnerabilitythatSentinelnds

Performsbusinesslogictesting,whichisimpossibletoautomate

Servesasanextensionofyourownwebsitesecurityteam

That means you can ocus on your technology and business goals instead o

website security headaches & hassles.

A Higher Level of Accuracy & Speed

Every service delivered by WhiteHat includes ull vulnerability verication by the

Threat Research Center (TRC), which veries the accuracy o all vulnerabilities,

virtually eliminating alse positives and dramatically simpliying remediation. Whats

more, the TRC also requently operates as an extension o your security team. The

TRC engineers are available to answer questions about a vulnerability, or to provide

Proo-o-Concept guidance on how a vulnerability can be exploited, or instance.

Companies large and small value the act that the TRC is the place you can callto get a live person who can oer expert analysis and guidance on your website

security environment.

Documents

WP5myths1211