Web App Vulnerabilities Are Getting More Attention; Now's The Time For IT To Get Defensive - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Web App Vulnerabilities Are Getting More Attention; Now's The Time For IT To Get Defensive

The number of vulnerable sites is small but growing rapidly, and attacks can happen without victims even knowing they've been hit.

Attacks designed to bring down networks are largely under control, even though companies still spend plenty of time defending against them. The latest addition to IT teams' worry lists: keeping Web apps from being hijacked and forced to give up data that can be used to commit identity theft or other crimes.

The number of Web sites with applications vulnerable to these attacks appears to be small--58 were reported last year to the Web Application Security Consortium, a group that tracks flaws found in custom Web apps. But that's a big leap from the 16 in 2004 and nine in 2003. This year, at least 20 vulnerabilities have been reported, including cross-site scripting vulnerabilities at eBay, Microsoft MSN Hotmail, and open source repository SourceForge.net, all of which have since been fixed. And the reported number of vulnerable sites could be just a starting point, since the vulnerabilities aren't easy to spot, and attackers try to get in and out without leaving a trail. So victims may not know their sites were attacked and data compromised or stolen.

In the past, malicious hackers have been more interested in disrupting the availability of networks and Web-based applications. Now there's increased interest in the payoff from stealing data that Web applications store, such as information that lets users log in to Web sites, pay bills, check accounts, and conduct other business. "If the hacker can construct application code that can query this information, it's better than trying to hack it out of a back-end server that's been patched," says Grant Bourzikas, senior manager of information security and business continuity at Scottrade.

The online brokerage last year decided to protect itself against a variety of attacks designed to fool Web applications into disclosing information, including buffer overflows, SQL injections, and cross-site scripting. Scottrade placed its Web-based trading systems behind an Imperva SecureSphere Web Application Firewall, which is designed to reinforce the company's application security policies that specify the amount and type of data that can be input into any field. "To be a solid security organization, you have to look at all layers of protection," Bourzikas says.

Types Of Web App Attacks

Buffer Overflow

SQL Injection

Cross-Site Scripting

Attackers input more information in a data field than an app can handle, tricking it into handing over data

Instructions are entered into a data field that lets attacker take control of an app

Hackers insert links into a Web app that send users to bogus or malware-laden sites

Web application firewalls can be used in conjunction with network firewalls, which work at the network perimeter, stopping any traffic they're programmed to block. Other Web application firewall vendors include Citrix Systems, F5 Networks, and NetContinuum, which this week is introducing its latest NC-1100 application firewall and application gateway appliances. While a firewall isn't likely to be as secure as writing an application from scratch with the security built in, it's a much quicker way to get a defense in place than spending months writing and debugging custom code. Many Web applications weren't written with security top of mind, says Gary McGraw, CTO at Cigital, which makes risk management software.

Attacks on Web apps are particularly disturbing to financial services companies, which are looking to make online banking and investing less expensive and more convenient. Bank of America last week reported that 3.8 million online accounts were activated on its Web site last year, an increase of 69% over the previous year. And banks can't count on customers to fend for themselves. A survey of more than 700 people with online accounts by TD Canada Trust, a bank that's part of Toronto's TD Bank Financial Group, found that fewer than 30% knew the terms phishing and Web site spoofing. Most customers believe their bank should bear primary responsibility for security measures around online banking.

Bank of America, Scottrade, and other financial institutions need to be attentive to the risk of Web attacks, having suffered breaches in the past six months that resulted in customer data being compromised at merchant and data processing locations. The last thing they need is their Web site to become another point of weakness.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
10 Ways to Prepare Your IT Organization for the Next Crisis
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/20/2020
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll