Website security should start from design

SINGAPORE--The breach that compromised two Singapore government websites last week could have been better mitigated if the web developers were trained in coding securely, and if security had been a considered right from the beginning of the design and development lifecycle.

In an e-mail interview with ZDNet, Chong Rong Hwa, senior malware researcher at FireEye, said the security incident further underscores the need for government agencies to heighten their vigilance. 

The websites of the Prime Minister's Office (PMO) and Istana were compromised when hackers used cross-site scripting to redirect visitors searching within the two sites, to another webpage resembling the governments but containing messages and images created by the hackers. As a result, visitors were made to believe the websites had been defaced when, in fact, they continued to function normally. 

The hackers were able to achieve this through a vulnerability in the websites, due to a lack of input validation, enabling them to exploit this erroneous way search functions were handled on the two sites. Input or data validation is a process that validates data entered into the search bar is "clean" and accurate, based on validation rules or "check routines". These rules are typically set by the Web application developer, or in this case, the website owner.

Initially blamed for the breach, Google told ZDNet the vulnerability "lies with the coding on the webpage". 

Asked what could have led to the input validation being overlooked, Chong said Web developers are typically not trained to write secure coding. "Even if they are trained, their priority is usually to deliver functionality first, and security validation would come second or is forgotten entirely. 

"Typically, there are many cases where you need to validate inputs on a website, so it takes only one oversight to be vulnerable. Unfortunately, attackers' priorities are to find the vulnerabilities they can exploit to their advantage," said the Singapore-based forensic engineer. 

When input validation is missing, hackers would tap this to inject malicious content, he noted, adding that these can be discovered with the use of scanners to identify potential security flaws. To further resolve such oversights, he said it is important to assess logic flows within the code, sieve out cryptography loopholes that can cause data leakage, and evaluate the server's malware hygiene, among other issues. 

While it may be difficult to achieve a 100 percent secured environment, hackers will use the path of least resistance so it is important to raise the bar to avoid being an easy target, he said. 

Chong said the PMO and Istana website breach should heighten the level of security awareness of government agencies in Singapore, and they should be expected to beef up vigilance against public threats. He noted the "overemphasis" on the defacement of the two websites, when this incident should instead highlight how the hackers easily could have installed malware into the user's machine without their knowledge through the cross-site scripting technique. This would have incurred greater cost and longer term impact to the targeted organization, he added. 

"Defacement is only a nuisance to the affected organization for a short period of time. However, in the worst case scenario, it could bring danger to general public if it is used of to deliver malicious contents," Chong warned, noting that all applications including websites and non-critical systems should be properly secured.  

"Security should start from the beginning of all design and development lifecycle, while testing should be used to augment and audit security, and not as the primary means to ensure security," he said.