Glow in the dark -- how CISOs can find their way through the darkness of the web

Even my favorite small sushi shop has a website with an online ordering capability. It also has a blog with news, events, and recipes and an option to subscribe to the newsletter.

Out of curiosity I took a look at the web page source. The site is developed using Asynchronous Java and XML (AJAX), one of many free open-source AJAX scripts for web carts and blogs on the Internet. A small local web design company developed the website and the design is contemporary and minimalistic just like his sushi shop.

[Why the state of application security is not so healthy]

When considering security, the web developer could have turned to the Open Web Application Security Project (OWASP), which has published the testing guide for AJAX vulnerabilities. The guide outlines nine categories of vulnerabilities to be tested. However, that's not a simple task for the amateur web developer.

Questions spring to mind, such as has the developer tested the application for vulnerabilities? The sushi chef has installed an anti-burglar alarm and cameras in his shop. But all shops in the neighborhood have some anti-burglar systems. Burglary happens in the area and installing alarms is standard cost of doing business. Alarms and cameras in the shop cannot prevent burglary. They are deterrents. However, the local law enforcement team is tasked with preventive measures against burglary. They patrol the neighborhood, organize awareness campaigns, and collect intelligence on threats.

Cross-site scripting and SQL injections are less obvious risks for a small shop owner. Still they could lead to a breach of customers' credit card details and personal information. To be sure that his website is secure sushi chef must have it tested and implement preventive measures. But how much is he ready to spend for such a test? A CISO of a large company may be responsible for several hundred web applications. He may ask: which applications are the most critical? Does it mean that less critical applications should not be tested against vulnerabilities? How much budget is a CISO ready to allocate for web application security? How to spend that budget wisely and yet to feel secure throughout darkness of the web?


Information: The crown jewel

All components of information systems are vulnerable to exploits. However, components directly accessible from the internet are exposed to external threats and therefore are more likely to be exploited. If exploited, internal system components provide direct access to higher levels of privileges such as to databases and the file system. They are protected however by rings of security controls or what security industry calls defense in depth. Web systems are on the enterprise frontline. It is, therefore, unsurprising that other perimeter systems are less frequently exploited.

Network devices such as firewalls are designed to segregate networks. And they perform that role effectively. Because of their specific scope of functionality they are designed and tested in a robust way. In addition, they are equipped with attack detection mechanisms and designed to fail safely. Only determined attackers with specific objectives would spend time and effort to attack firewalls.

On the other hand, web applications are tools for disseminating information, for communicating with customers, for selling goods and services, for building corporate identity and image. They are designed for dynamic aggregation of information, for linking users to databases, for interconnecting businesses, for collecting data. As such they are systems components closest to the corporate crown-jewel:  information.

As companies and individuals rush to connect and disseminate information, ever more web applications are being developed quickly and with limited resources. Although everyone admits that it is important, information security is not the top priority when planning time to market for their products and services. Business owners' objectives are to minimize expenditure and this frequently results in security risk acceptance, or even ignorance.

Managing Information security risks represents the cost of doing business. Moreover that cost is often hidden and the impact is hard to measure. Data owners simply want to share and monetize their data. They are not motivated to think about what-ifs in security terms unless forced by laws and regulations, so they end up developing beautifully designed web applications that attract a mass audience, and are rich with features and functionality that can track and collect massive amounts of marketing data that helps companies to understand consumer demand.

Web applications help visitors find information on products, services and special offers, compare product features and prices, check feedback from other customers, make purchases with different payment options and track delivery of their packages. And users can do that from any device anywhere in the world. So can hackers in search of riches and weaknesses...


Protecting the crown jewels

There are many possible areas where weaknesses could be hidden. OWASP lists the top 10 web application weaknesses and how they evolve over time. It is of no surprise that data injections have topped the charts for a long time. Data injections are weaknesses in application logic. They are the result of an inability to predict all possible behavioral aspects of users when entering or searching for data.

There are of course methods for secure coding that provide best practices for mitigating such risks but they require skills and time to implement. Moreover, with every change to the underlying business process there is a change in the business logic that requires re-testing. If repeated testing would be effective with the automated scanners it would facilitate the task but for that human intelligence is indispensable. Code analysis can assist in identifying possible vulnerable areas. Ethical hacking can verify that vulnerability exists and how difficult it is to exploit injection vulnerability.

[Slideshow: 5 steps for application security

Fuzz testing tools, such as free extension for Firefox browser ImmuniWeb Self-Fuzzer (real-time fuzzer) can analyse many possible data entry combinations during the short period of time. That process is similar to brute forcing password combinations and cannot compare to an intelligent attack. Attackers can put more logic into their attacks after reconnaissance or collecting information about the target. They can easily learn about the profiles of target company users and significantly reduce the scope of attack. Their data searches will resemble those of legitimate users.

Such interaction with web applications can hardly be identified as potentially malicious. It would not be detected by log analyzers and application firewalls. What remains to attackers is to find vulnerability such as buffer overflow on the web content management system or the underlying database and that would open the doors to the crown jewel: corporate information.

Automated web application scanning is very useful for an initial information security assessment. There are many scanning tools on the market. Some are even free including OWASP Zed Attack Proxy (ZAP). It is simple to use but web application security experience is required in order to produce some meaningful results. Self-Fuzzer and ZAP are important tools within my web application security toolbox. I use them regularly to perform the initial phase of a corporate web applications security assessment. It helps prioritize web applications in terms of potential vulnerabilities and their criticality. It results in defining the scope for further more in-depth security assessments and allocation of the security budget for preventive, detective and security monitoring activities.

Like all automated scanners, ZAP cannot detect logical vulnerabilities. OWASP recommends performing manual penetration tests to find all types of vulnerabilities. Manual penetration testing is time consuming and requires specific skills. Consequently it is an expensive consultancy service. It is therefore quite unlikely that my favorite sushi chef would authorize penetration testing to assess the security of his website. However, there is solution even for small e-commerce site like his. Personally I was unaware of a hybrid approach to web application security assessment until 2013 when High-Tech Bridge, one of our penetration testing providers, offered to test ImmuniWeb. ImmuniWeb is an on-demand web application security assessment solution that combines automated scanning with manual web application penetration testing for an affordable price. Moreover, ImmuniWeb could be used to assess websites hosted with Cloud Service Providers, as it does not perform any dangerous security checks and does not affect the web server or network equipment performance.

For large companies with hundreds of web applications such hybrid assessment helps when expanding the scope of assessment to cover even applications estimated at medium or lower risk. CISOs finally have a solution that combines strength of technology with human skills and intelligence to more accurately assess potentials to exploit application vulnerabilities.

OWASP top 10 lists several other vulnerability classes that are difficult to detect with automated scanners. Cross-Site Scripting (XSS) is one of those. Attackers may use this technique to hijack user sessions and redirect them to a malicious site where users maybe tricked to enter their credentials or payment details. OWASP highlights that it is particularly difficult to detect XSS vulnerabilities using automated scanners on websites based on technologies such as Ajax.

One of the CISOs' nightmares is a potential ruin of corporate reputation. Imagine a web page with the corporate logo at the top and usual legal disclaimers at the bottom, and data input dialog boxes asking visitors to enter their login IDs and passwords. All that with the company's valid Internet address in the address bar. The main issue is that the prompt for user credentials is not passing that information to the corporate web application but to a malicious site. It is very unlikely that website visitors would inspect page source code to identify potential risk before entering their credentials.

[Merchants, buyers on Dark Web get their own search engine

Thousands of cases were published with such exploits. For example, 860,000 Apple fan accounts were compromised as a result of an XSS exploit on the MacRumors forum. With limited in-house manpower it is difficult for me to dedicate resources for continuous assessment of such a risk on all corporate web-based system. To compensate such restriction I ensure that most of web-based systems are included in continuous security assessment using hybrid scanners.

Insecure Direct Object References are vulnerabilities that may allow users authorized to access certain data to modify search parameters and access restricted data. Automated scanners cannot differentiate what is safe from what is unsafe.

A human penetration tester may identify a potential vulnerability that could lead to a data confidentiality breach. This kind of vulnerability sometimes slips through security tests even for large companies and results in privacy breach of 100,000 customersix. Missing Function Level Access Control is a similar type of vulnerability also related to the application logic and therefore unlikely to be identified by automated scanners. Instead of providing unauthorized access to data directly this vulnerability allows accessing application function that is not authorized for the current user's role.

An example for the small online shopping website could be getting access to the reimbursement approval function. Implementing a change in application logic to mitigate such a vulnerability should follow secure software development life-cycle best practice which recommends performing security assessment after every major change. It is not uncommon that fixing one vulnerability creates another one. Critical Java vulnerabilities discovered last year were repaired by an out-of-band patch that introduced new vulnerabilities. If CISOs have budget for another penetration test after the implementation of a remedy and before putting the web system back to production, they would sleep much better at night. With hybrid vulnerability assessment, initially introduced to the market by Swiss company High-Tech Bridge with ImmuniWeb SaaS, this finally seems feasible.


Robots vs humans

One guardian of the crown jewel, the web developer, must reduce possible attack scope to an acceptable risk level. When fully focused on application design it is hard to imagine how creative attackers may be. For ethical hackers though that is their day job. They search through the dark web to understand the logic of attackers, to identify the tools that attackers use, which vulnerabilities attackers discuss and what skills attackers look for.  They are just like undercover policemen patrolling streets, bars and nightclubs and collecting intelligence about underground activities. While automated scanners could point to a potential vulnerability, ethical hackers also search the dark side of the web to find traces of that vulnerabilities are being exploited. Two automated scanners that I have tested from BeyondTrust and Qualys detected an XSS vulnerable page on the target web site. However, the code provided in the assessment report was not easily reproducible.

It required skills and time of an engineer from our information security team to verify if that XSS vulnerability is exploitable and how difficult that would be. For an organization with hundreds of web sites and thousands of web pages, manual verification of each XSS vulnerability would require significant resources. For a small company without specific internal skills for such verification it would require contracting expensive consultancy. ImmuniWeb assessment detected more web pages vulnerable to XSS on the same target web site that were completely missed by automated scanners. More importantly, the proof-of-concept scripts provided in the assessment report are easily verifiable even for a non-technically savvy person. It is a matter of clicking on a link in the report that would open the vulnerable web page with a pop-up message to illustrate how the exploit may look like. ImmuniWeb assessment goes one step further. It also provides information on where and when vulnerable web pages were listed on hackers' forums. There is no need to highlight the criticality of the vulnerability and importance of fixing it when one is presented with such a report.

[4 key elements for proactive application security

Vulnerabilities represent only one part of the risk. Threats are the other component within the risk equation. External threats to web applications are on the rise and represent the top priority of information security managers as reported by the OWASP CISO Survey. While there is a long list of tools on the market to assist in identifying vulnerabilities nothing can yet replace a human in identifying actual threats. With data breach reports that point to exploits that go undetected for years it is clear that better threat intelligence is needed. Security in-depth is important just like anti-burglar alarms but human generated reports like the Hacking Resource Monitor module of ImmuniWeb introduces another dimension to the perception of risk. It definitely makes me sleep better at night. I will also mention this to my sushi chef when I stop by his shop next time.

Viktor Polic (CISSP, CRISC, CISA) is Chief Information Security Officer at a specialized agency of the UN.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesvulnerability scannersapplicationsweb applicationsethical hackerssoftwareCSOinternetdata protection

More about AppleQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Viktor Polic

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place