Web Apps Come Under Attack In Perverse Coming Of Age
The growth in hosted software, plus attacks on AT&T's site and others, has IT managers worried about the vulnerability of Web applications.
With the launch last week of Google's hosted application suite and availability of Microsoft Office Live, online application delivery appears ready to challenge the desktop computing model. As Web applications become more mainstream, the inevitable question arises: Are they vulnerable?
You bet. Consider that in the last week of August, more than 60 Web application vulnerabilities were found, according to the SANS Institute's @Risk bulletin. Compare that with the number of vulnerabilities found that week in Windows (two), Mac OS (two), Linux (three), Internet Explorer (two), and third-party Windows apps (nine).
August 2006 AT&T DSL equipment sales site is hacked; access gained to records of nearly 19,000 customers
October 2005 MySpace Hacker known as "Samy" unleashes a Web worm on the social networking site that causes anyone accessing the site to be added to Samy's "friends" list; the attack, while innocuous, shows the potential for greater harm
June 2005 University of Southern California Eric McCarty hacks into USC's site and accesses confidential information submitted by school applicants; he says he wanted to prove the site was insecure
December 2004 Disasters Emergency Committee Daniel Cuthbert hacks Tsunami Earthquake Appeal site, claiming he wanted to prove it was insecure
Web apps have a reputation--though it's unclear how deserved--for not having undergone as many code reviews and quality-control processes as conventional software. "Web applications tend to be written less tightly than other applications," says Alan Paller, director of research at SANS.
Douglas Merrill, VP of engineering at Google, acknowledges that the programming methodology for Web applications isn't as mature as for desktop apps, but he emphasizes that Google has its own set of best practices. Instead of having a centralized security group review code before it's released, Google uses what Merrill describes as a distributed system that enlists every engineer to make programs more secure. That means training every software and QA engineer to look for security problems and practice secure coding. An engineer's code is always reviewed by a second engineer whenever it gets checked in, and again during design, implementation, and launch. So far, Google's online applications have stayed off the @Risk list.
Attackers, meanwhile, are tracking Web application vulnerabilities disclosed through such reports as @Risk and SecurityFocus' Bugtraq. When they learn of a commer-cially available Web application with a known flaw, they'll utilize Web search tools to find sites that use the app. The attacker can then probe for applications that haven't been patched properly.
It's enough to persuade Kevin Jaffe, director of corporate systems at Priceline.com, to steer clear of the hosted software model for now. "We're not so concerned about, say, vulnerabilities within certain Microsoft applications because there are three or four levels of security around this company that you've got to get through to begin with," he says. Jaffe adds that crooks don't need specialized application-specific knowledge to attack Web apps written with pop- ular languages. "When you start dealing with Web-based applications, you've lowered the common denominator for the typical hacker," he says.
That's not to say Priceline won't ever adopt hosted Web apps--Jaffe, in fact, thinks they're the future because of the overall benefits of centralized maintenance and support. He just doesn't want to be one of the first victims while the security bugs are being worked out. "Our culture from the beginning has always been, let somebody else jump out there first," Jaffe says.
Many IT managers don't see Web applications as particularly vulnerable. "I would be no more or less likely to consider a Web application like Google's Writely over, say, Microsoft Word," says Brad Friedman, VP of IT for Burlington Coat Factory, which uses the Star/Open Office desktop suite. Both require security measures to make them less vulnerable, he says.
While there's no such thing as perfect security, companies have to determine for themselves whether the possible benefits of online applications outweigh the risks. "When a [Web application] problem is in fact found, trying to fix it is never trivial," Google's Merrill says. "But it's much simpler to patch a server than it is to patch some large number of clients distributed across some large number of networks."
SANS Institute's Paller agrees. "One huge positive is that the patching is going on in real time," he says, "whereas most of us aren't doing that." And because patching can be such an onerous chore, many organizations will consider ditching PCs altogether in favor of applications delivered through a thin client.
For large companies that have dozens of Web sites and applications, the recent attack on AT&T's DSL equipment site should provide plenty of incentive to assess security, says Jeremiah Grossman, a former Yahoo information security officer who's now CTO with Web application security provider WhiteHat Security. Site scrutiny should be prioritized based on the nature of the information that can be accessed--is customer data at risk?--and the vulnerability of the apps they run.
Whether it's as a hosted service from a vendor or from internally managed Web sites, online software is in the crosshairs of malicious hackers. It may be the future, but it won't be without security risks.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.