By Larry Greenemeier - Courtesy of InformationWeek

April 17, 2006

Web App Vulnerabilities Are Getting More Attention; Now's The Time For IT To Get Defensive

Attacks designed to bring down networks are largely under control, even though companies still spend plenty of time defending against them. The latest addition to IT teams' worry lists: keeping Web apps from being hijacked and forced to give up data that can be used to commit identity theft or other crimes.

The number of Web sites with applications vulnerable to these attacks appears to be small--58 were reported last year to the Web Application Security Consortium, a group that tracks flaws found in custom Web apps. But that's a big leap from the 16 in 2004 and nine in 2003. This year, at least 20 vulnerabilities have been reported, including cross-site scripting vulnerabilities at eBay, Microsoft MSN Hotmail, and open source repository, all of which have since been fixed. And the reported number of vulnerable sites could be just a starting point, since the vulnerabilities aren't easy to spot, and attackers try to get in and out without leaving a trail. So victims may not know their sites were attacked and data compromised or stolen.

In the past, malicious hackers have been more interested in disrupting the availability of networks and Web-based applications. Now there's increased interest in the payoff from stealing data that Web applications store, such as information that lets users log in to Web sites, pay bills, check accounts, and conduct other business. "If the hacker can construct application code that can query this information, it's better than trying to hack it out of a back-end server that's been patched," says Grant Bourzikas, senior manager of information security and business continuity at Scottrade.

The online brokerage last year decided to protect itself against a variety of attacks designed to fool Web applications into disclosing information, including buffer overflows, SQL injections, and cross-site scripting. Scottrade placed its Web-based trading systems behind an Imperva SecureSphere Web Application Firewall, which is designed to reinforce the company's application security policies that specify the amount and type of data that can be input into any field. "To be a solid security organization, you have to look at all layers of protection," Bourzikas says.


Web application firewalls can be used in conjunction with network firewalls, which work at the network perimeter, stopping any traffic they're programmed to block. Other Web application firewall vendors include Citrix Systems, F5 Networks, and NetContinuum, which this week is introducing its latest NC-1100 application firewall and application gateway appliances. While a firewall isn't likely to be as secure as writing an application from scratch with the security built in, it's a much quicker way to get a defense in place than spending months writing and debugging custom code. Many Web applications weren't written with security top of mind, says Gary McGraw, CTO at Cigital, which makes risk management software.

Attacks on Web apps are particularly disturbing to financial services companies, which are looking to make online banking and investing less expensive and more convenient. Bank of America last week reported that 3.8 million online accounts were activated on its Web site last year, an increase of 69% over the previous year. And banks can't count on customers to fend for themselves. A survey of more than 700 people with online accounts by TD Canada Trust, a bank that's part of Toronto's TD Bank Financial Group, found that fewer than 30% knew the terms phishing and Web site spoofing. Most customers believe their bank should bear primary responsibility for security measures around online banking.

Bank of America, Scottrade, and other financial institutions need to be attentive to the risk of Web attacks, having suffered breaches in the past six months that resulted in customer data being compromised at merchant and data processing locations. The last thing they need is their Web site to become another point of weakness.

main page ATTRITION feedback