Web application threats increased significantly in 2006, and
they aren't expected to let up in the coming year.
Recently the application security experts at SPI Dynamics Inc.
put their collective heads together and took a look at the threat
landscape for 2007. They've found that increased use of
Web 2.0 technologies and the potential financial gain from
attacks is going to keep Web applications in hackers' sights.
Specifically, the researchers identified seven threats that they
expect to be prevalent during 2007.
Quality and security sacrificed in RAD
Rapid application development (RAD), which is lauded for its quick
production of applications, often fails to address software quality
and security, said Michael Sutton, security evangelist at SPI
Dynamics. Quality is pushed aside in order to meet deadlines.
 | | | | | Security needs to be embedded
in [Web application development frameworks] to protect the
developers from themselves.
Michael Sutton
security evangelistSPI Dynamics |
| | | | | |
| |
|
"RAD, itself, is not a bad approach," he said. "The problem that
we have seen is that the quality piece is sacrificed. Often when
people think of quality, they don't think of security."
How can that be fixed?
Security must be included throughout the software development life
cycle, Sutton said. Starting at the design meeting, security
must be considered and then continued throughout development, he
said.
File format vulnerabilities an avenue for phishing
attacks
File format vulnerabilities don't lie in the actual file. The
vulnerability is actually in the application that interprets the
file. As a result, a single malicious file can exploit multiple
applications leveraging the same faulty libraries.
Targets for such attacks include graphical programs, work
processors, media players, Web browsers and spreadsheet
applications. In fact, Sutton said about one quarter of Microsoft's
patches in 2006 were related to this.
"We're seeing a lot of zero-day attacks like this where a fake
email is sent and people open them because they're not executable
files," he said.
The true fix for this flaw is for software companies to not
release vulnerable software, Sutton said. That can be achieved by
including security throughout the SDLC and by using
fuzzing tools to find vulnerabilities.
Flawed software will still remain, so companies that use such
software will have to make sure the applications are patched. If
there isn't a fix, they may need to decide if they should block
certain types of attachments.
"It's tough. You need to pass along these types of files, but
they can lead to exploitation," Sutton said.
Hackers targeting bridges or "mashups"
This new trend involves a link or "bridge" between two sites where
one is able to send search requests to another much larger site,
such as Amazon.com or Maps.com. Because the bridge doesn't have its
own security measures, it creates an easy avenue for hackers to
attack the larger, more desirable site.
"Sites that are allowing access to content are not being as
careful about security when it's going to an RSS feed or an API,"
Sutton said. That makes it possible for hackers to piggyback on the
trust between those two sites. "The same security should be applied
to bridges as would be applied to public-facing portals," he
added.
Insecure embedded Web application servers
Often people forget that the hardware they run, including printers
and routers, have embedded Web servers in them these days. With
them, users can check their status via a Web browser. The problem
is, they're pretty simple servers that haven't undergone much
security testing, Sutton said.
That means they're wide open for attack. For example, a switch
could be configured to re-route traffic to the attacker.
Adding to this problem is the fact that the devices are rarely
updated and patched. "No one updates their printer software like
they do their desktop," Sutton said.
More Web 2.0 applications = more application
threats
Web 2.0 promises to make Web applications more dynamic and
interactive, but it also increases the possible threats to those
applications, Sutton said.
"Any time an application has a vulnerability, nine times out of
10 it's because the user
input isn't validated in some way," Sutton said. "With all of
these Web 2.0 apps, all these inputs increase significantly."
And that gives attackers more ways to get in. Users may not see
them as inputs because they act behind the scenes, but an attacker
can see them.
It's imperative that developers pay attention to security as a
Web applications become more complex, Sutton added.
Client-side attacks increasingly important
Client-side vulnerabilities are becoming more severe thanks to the
explosion of phishing attacks and identity theft. Now a person can
visit a bad Web site and their browser can get corrupt, opening the
way for attackers to steal his data.
"People are starting to realize that client-side vulnerabilities
are serious vulnerabilities, and there are challenges to fixing
them," Sutton said. "If someone has to patch the browser for
everyone in an organization, that's a huge challenge."
Expect more worms
Web application worms are excellent for blanketed attacks.
They're yet another vector to gain access to people and their
information.
They've especially become a
threat to social networking Web sites that have relaxed rules
on client-provided script so that members can code their own pages.
Yahoo! and MySpace are two sites that have fallen victim to such
worms.
Security needs to become more of a priority if those sites want
to be worm-free.
Development frameworks need security controls
Another thing that contributes to the increase in attacks on Web
applications is that more people are developing them because
they're easier to create, but they don't have security expertise,
Sutton said.
"The problem is, not everyone is a security expert so a lot of
Web applications are going to be developed and a lot of security
mistakes are going to be made," he said.
To remedy that, Web application development frameworks are going
to have to take on some of the security burden, Sutton said.
"The Web application development frameworks need to take into
account that they're being used by anybody, and most aren't going
to have security knowledge," he said. "So, security needs to be
embedded in them to protect the developers from themselves."