Web attacks are on the rise, up 30% in six months, according to security vendor Imperva.
The second edition of Imperva's Web Application Attack Report (the first report was issued in July) identifies cross-site scripting (XSS) as the attack vector of choice (29% of the attacks reported), followed by directory traversal (DT), accounting for about one in five attacks. Imperva also tracked SQL injection, remote file inclusion and local file inclusion attacks.
It’s important to note that these are not necessarily the highest risk attacks. The Open Web Application Security Project (OWASP) identifies injection attacks, followed by XSS as the highest risk vulnerabilities in its annual OWASP Top 10 report. OWASP bases its risk assessment on a combination of the ease of exploiting a particular attack vector, the prevalence of the vulnerability type, the ease or difficulty of detecting the problem and the severity of the technical impact. OWASP’s methodology further allows organizations to customize their own risk assessment by factoring in the threat agent (skill, motive, opportunity, etc., and the impact of a successful attack on the business.
Imperva monitored attacks on 40 Web applications and observed an average of 38,000 attacks per hour.
In addition to the five common web application vulnerability attacks, Imperva also tracked business logic attacks, email extraction and comment spamming. Comment Spamming injects malicious links into comment fields to defraud consumers and alter search engine results. Email extraction collects email addresses for building spam lists.
The volume and intensity of the attacks reflect the widespread use of automated tools, Imperva notes. Automation gives attackers the biggest bang for their buck, enabling them to point, shoot and profit. They often have built in detection evasion capabilities, such as changing the HTTP User Header. They have multiple exploit capabilities, so that if one attack fails, no problem. The success and the value proposition of these automated tools lies in the proliferation of targets.
And therein lies the challenge. Web applications are so rife with vulnerabilities that there is no chance of eliminating them. Organizations are gradually being won over to adopting secure development practices, but this has taken years and is very far from standard practice. And even if every new piece of production code going forward was developed with security in mind (highly hypothetical), there are countless Internet-facing web applications that have to be tested and remediated.
Organizations need to start by baking security into their software development lifecycles (SDLC). This is an oversimplification, but the program should include:
- Support from top management, making application security a priority requirement.
- Educating developers in secure coding practices, such as validating user input. Developers have by and large been trained and paid to develop functionality — on time and with as few bugs as possible.
- Inclusion of security personnel in the SDLC, with authority to enforce policy.
- Rigorous code testing at each stage of development.
- Combinations of source code, compiled code and static site testing at appropriate stages.
- Accountability. The business managers who are ultimately responsible for developing and deploying the application should be accountable for security as well as functionality and business success.
Legacy applications present a whole other set of problems. Large enterprises may have thousands of them, each riddled with SQL injection, XSS, etc. There are a number of black box testing products, testing services and expert penetration-testing consultants who can help you identify application vulnerabilities. Automated testing tools and services are the best way to cost-effectively cover the largest applications in the greatest number, augmented with manual testing for priority applications.
You should also deploy web application firewalls (WAF) as part of your layered web application defense. WAFs don’t solve the application security problem, but they do offer a measure of protection for unpatched vulnerabilities. If your organization is subject to PCI DSS, chances are you already have deployed WAF to met your compliance requirements. But bear in mind that WAF is not a install-and- forget tool. You’ll need to tune it regularly based on your vulnerability findings and your changing application environment. Web application testing services should be able to help you create rules for WAF based on their findings.
But the cost of remediation in precious developer resources can be staggering. A good approach is to prioritize your legacy applications based on value to the business and potential risk of exploitation. Then prioritize the risk presented by each set of vulnerabilities, using the OWASP or similar methodology, and fix the most urgent problems on the most aggressive feasible schedule.