From his vantage point at WhiteHat, Grossman has seen several organizations migrate websites from Microsoft's original ASP to ASP.NET. "ASP classic, the first generation of ASP websites, are generally riddled with vulnerabilities," he says. But when these organizations rewrote their applications using ASP.NET, suddenly their applications improved tremendously securitywise. "Same developers, two different frameworks. It wasn't an education problem, it was a technology problem."
The newer platforms are more secure than the old ones because the framework provides native secure libraries and APIs for account management, log-in/log-out, session handling, input validation and so on. It's also important for a company to standardize on a single application development system. That way the company can build up in-house expertise, rather than approaching each new project like a novice.
Other companies have significant problems with process. For example, WhiteHat's scanner will sometimes find a vulnerability the first time the site is scanned but not find it the second time. "Our systems figured they fixed it and closed the ticket." But on a third scan the vulnerability sometimes comes back.
In a case like this, WhiteHat will call the customer. The developers look at their Web servers and say the vulnerability doesn't exist. And indeed, on some scans the vulnerability is there, and on some it isn't!
"We call it vulnerability clapping," explains Grossman. "Many websites have load-balanced systems" behind a single URL. Each of these systems is supposed to be running exactly the same code, but sometimes they aren't. "Some systems will be hot-fixed, and some won't," he says. These bugs are very hard to find because they require customers to examine each of their supposedly "identical" Web servers for differences.
At another company--a financial institution--WhiteHat discovered an easily exploited vulnerability that would have let customers steal money. WhiteHat called up the company and the problem was hot-fixed within 24 hours. But a few months later, the vulnerability came back.
"The developers were working on the next release, set to come out in two to three months. Some developer did not back-port the hot-fix from the production server to the development server. So when the push occurred three months later, they pushed the vulnerability again." Ugh!
I've never been a big fan of penetration testing, but the two hours that I spent talking with Grossman convinced me that it's a necessary part of today's e-commerce websites. Yes, it would be nice to eliminate these well-known bugs with better coding practices. But we live in the real world. It's better to look for the bugs and fix them than to simply cross your fingers and hope that they aren't there.
Simson Garfinkel, CISSP, is researching computer forensics and human cognition at Harvard University.