Web App Vulnerabilities Are Getting More Attention; Now's The Time For IT To Get Defensive - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Web App Vulnerabilities Are Getting More Attention; Now's The Time For IT To Get Defensive

The number of vulnerable sites is small but growing rapidly, and attacks can happen without victims even knowing they've been hit.

Attacks designed to bring down networks are largely under control, even though companies still spend plenty of time defending against them. The latest addition to IT teams' worry lists: keeping Web apps from being hijacked and forced to give up data that can be used to commit identity theft or other crimes.

The number of Web sites with applications vulnerable to these attacks appears to be small--58 were reported last year to the Web Application Security Consortium, a group that tracks flaws found in custom Web apps. But that's a big leap from the 16 in 2004 and nine in 2003. This year, at least 20 vulnerabilities have been reported, including cross-site scripting vulnerabilities at eBay, Microsoft MSN Hotmail, and open source repository SourceForge.net, all of which have since been fixed. And the reported number of vulnerable sites could be just a starting point, since the vulnerabilities aren't easy to spot, and attackers try to get in and out without leaving a trail. So victims may not know their sites were attacked and data compromised or stolen.

In the past, malicious hackers have been more interested in disrupting the availability of networks and Web-based applications. Now there's increased interest in the payoff from stealing data that Web applications store, such as information that lets users log in to Web sites, pay bills, check accounts, and conduct other business. "If the hacker can construct application code that can query this information, it's better than trying to hack it out of a back-end server that's been patched," says Grant Bourzikas, senior manager of information security and business continuity at Scottrade.

The online brokerage last year decided to protect itself against a variety of attacks designed to fool Web applications into disclosing information, including buffer overflows, SQL injections, and cross-site scripting. Scottrade placed its Web-based trading systems behind an Imperva SecureSphere Web Application Firewall, which is designed to reinforce the company's application security policies that specify the amount and type of data that can be input into any field. "To be a solid security organization, you have to look at all layers of protection," Bourzikas says.

Types Of Web App Attacks

Buffer Overflow

SQL Injection

Cross-Site Scripting

Attackers input more information in a data field than an app can handle, tricking it into handing over data

Instructions are entered into a data field that lets attacker take control of an app

Hackers insert links into a Web app that send users to bogus or malware-laden sites

Web application firewalls can be used in conjunction with network firewalls, which work at the network perimeter, stopping any traffic they're programmed to block. Other Web application firewall vendors include Citrix Systems, F5 Networks, and NetContinuum, which this week is introducing its latest NC-1100 application firewall and application gateway appliances. While a firewall isn't likely to be as secure as writing an application from scratch with the security built in, it's a much quicker way to get a defense in place than spending months writing and debugging custom code. Many Web applications weren't written with security top of mind, says Gary McGraw, CTO at Cigital, which makes risk management software.

Attacks on Web apps are particularly disturbing to financial services companies, which are looking to make online banking and investing less expensive and more convenient. Bank of America last week reported that 3.8 million online accounts were activated on its Web site last year, an increase of 69% over the previous year. And banks can't count on customers to fend for themselves. A survey of more than 700 people with online accounts by TD Canada Trust, a bank that's part of Toronto's TD Bank Financial Group, found that fewer than 30% knew the terms phishing and Web site spoofing. Most customers believe their bank should bear primary responsibility for security measures around online banking.

Bank of America, Scottrade, and other financial institutions need to be attentive to the risk of Web attacks, having suffered breaches in the past six months that resulted in customer data being compromised at merchant and data processing locations. The last thing they need is their Web site to become another point of weakness.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll