Software // Enterprise Applications
04:30 PM
Connect Directly

Web Apps Come Under Attack In Perverse Coming Of Age

The growth in hosted software, plus attacks on AT&T's site and others, has IT managers worried about the vulnerability of Web applications.

With the launch last week of Google's hosted application suite and availability of Microsoft Office Live, online application delivery appears ready to challenge the desktop computing model. As Web applications become more mainstream, the inevitable question arises: Are they vulnerable?

You bet. Consider that in the last week of August, more than 60 Web application vulnerabilities were found, according to the SANS Institute's @Risk bulletin. Compare that with the number of vulnerabilities found that week in Windows (two), Mac OS (two), Linux (three), Internet Explorer (two), and third-party Windows apps (nine).

Last week's hack of an AT&T Web site that sells DSL equipment, resulting in access to nearly 19,000 customer records, could very well have been carried out via a vulnerable Web app. Among the most common methods: cross-site scripting attacks that lift sensitive information, embedding JavaScript malware in a Web page that's activ- ated when the page is viewed, and SQL injections. As of Sept. 1, AT&T declined to provide details about the attack on its site, which is run by a third party, but said it's working with an internal forensic team and law enforcement.

Hack Attacks
August 2006
AT&T DSL equipment sales site is hacked; access gained to records of nearly 19,000 customers
October 2005
MySpace Hacker known as "Samy" unleashes a Web worm on the social networking site that causes anyone accessing the site to be added to Samy's "friends" list; the attack, while innocuous, shows the potential for greater harm
June 2005
University of Southern California Eric McCarty hacks into USC's site and accesses confidential information submitted by school applicants; he says he wanted to prove the site was insecure
December 2004
Disasters Emergency Committee Daniel Cuthbert hacks Tsunami Earthquake Appeal site, claiming he wanted to prove it was insecure
Bad Reputation
Web apps have a reputation--though it's unclear how deserved--for not having undergone as many code reviews and quality-control processes as conventional software. "Web applications tend to be written less tightly than other applications," says Alan Paller, director of research at SANS.

Douglas Merrill, VP of engineering at Google, acknowledges that the programming methodology for Web applications isn't as mature as for desktop apps, but he emphasizes that Google has its own set of best practices. Instead of having a centralized security group review code before it's released, Google uses what Merrill describes as a distributed system that enlists every engineer to make programs more secure. That means training every software and QA engineer to look for security problems and practice secure coding. An engineer's code is always reviewed by a second engineer whenever it gets checked in, and again during design, implementation, and launch. So far, Google's online applications have stayed off the @Risk list.

Still, as the Web application model takes root, so, too, will its problems. Paller predicts an increase in attacks to exploit online application protocols such as the Simple Object Access Protocol, PHP, and JavaScript, rather than exploit holes in the apps, by "piggybacking" on data sent from the Web application to the browser-based client.

Attackers, meanwhile, are tracking Web application vulnerabilities disclosed through such reports as @Risk and SecurityFocus' Bugtraq. When they learn of a commer-cially available Web application with a known flaw, they'll utilize Web search tools to find sites that use the app. The attacker can then probe for applications that haven't been patched properly.

It's enough to persuade Kevin Jaffe, director of corporate systems at, to steer clear of the hosted software model for now. "We're not so concerned about, say, vulnerabilities within certain Microsoft applications because there are three or four levels of security around this company that you've got to get through to begin with," he says. Jaffe adds that crooks don't need specialized application-specific knowledge to attack Web apps written with pop- ular languages. "When you start dealing with Web-based applications, you've lowered the common denominator for the typical hacker," he says.

That's not to say Priceline won't ever adopt hosted Web apps--Jaffe, in fact, thinks they're the future because of the overall benefits of centralized maintenance and support. He just doesn't want to be one of the first victims while the security bugs are being worked out. "Our culture from the beginning has always been, let somebody else jump out there first," Jaffe says.

Simpler Patching
Many IT managers don't see Web applications as particularly vulnerable. "I would be no more or less likely to consider a Web application like Google's Writely over, say, Microsoft Word," says Brad Friedman, VP of IT for Burlington Coat Factory, which uses the Star/Open Office desktop suite. Both require security measures to make them less vulnerable, he says.

While there's no such thing as perfect security, companies have to determine for themselves whether the possible benefits of online applications outweigh the risks. "When a [Web application] problem is in fact found, trying to fix it is never trivial," Google's Merrill says. "But it's much simpler to patch a server than it is to patch some large number of clients distributed across some large number of networks."

SANS Institute's Paller agrees. "One huge positive is that the patching is going on in real time," he says, "whereas most of us aren't doing that." And because patching can be such an onerous chore, many organizations will consider ditching PCs altogether in favor of applications delivered through a thin client.

For large companies that have dozens of Web sites and applications, the recent attack on AT&T's DSL equipment site should provide plenty of incentive to assess security, says Jeremiah Grossman, a former Yahoo information security officer who's now CTO with Web application security provider WhiteHat Security. Site scrutiny should be prioritized based on the nature of the information that can be accessed--is customer data at risk?--and the vulnerability of the apps they run.

Whether it's as a hosted service from a vendor or from internally managed Web sites, online software is in the crosshairs of malicious hackers. It may be the future, but it won't be without security risks.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 21, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.