Web application threats increased significantly in 2006, and they aren't expected to let up in the coming year.
Recently the application security experts at SPI Dynamics Inc. put their collective heads together and took a look at the threat landscape for 2007. They've found that increased use of Web 2.0 technologies and the potential financial gain from attacks is going to keep Web applications in hackers' sights.
Specifically, the researchers identified seven threats that they expect to be prevalent during 2007.
Quality and security sacrificed in RAD
Rapid application development (RAD), which is lauded for its quick production of applications, often fails to address software quality and security, said Michael Sutton, security evangelist at SPI Dynamics. Quality is pushed aside in order to meet deadlines.
"RAD, itself, is not a bad approach," he said. "The problem that we have seen is that the quality piece is sacrificed. Often when people think of quality, they don't think of security."
How can that be fixed? Security must be included throughout the software development life cycle, Sutton said. Starting at the design meeting, security must be considered and then continued throughout development, he said.
File format vulnerabilities an avenue for phishing attacks
File format vulnerabilities don't lie in the actual file. The vulnerability is actually in the application that interprets the file. As a result, a single malicious file can exploit multiple applications leveraging the same faulty libraries.
Targets for such attacks include graphical programs, work processors, media players, Web browsers and spreadsheet applications. In fact, Sutton said about one quarter of Microsoft's patches in 2006 were related to this.
"We're seeing a lot of zero-day attacks like this where a fake email is sent and people open them because they're not executable files," he said.
The true fix for this flaw is for software companies to not release vulnerable software, Sutton said. That can be achieved by including security throughout the SDLC and by using fuzzing tools to find vulnerabilities.
Flawed software will still remain, so companies that use such software will have to make sure the applications are patched. If there isn't a fix, they may need to decide if they should block certain types of attachments.
"It's tough. You need to pass along these types of files, but they can lead to exploitation," Sutton said.
Hackers targeting bridges or "mashups"
This new trend involves a link or "bridge" between two sites where one is able to send search requests to another much larger site, such as Amazon.com or Maps.com. Because the bridge doesn't have its own security measures, it creates an easy avenue for hackers to attack the larger, more desirable site.
"Sites that are allowing access to content are not being as careful about security when it's going to an RSS feed or an API," Sutton said. That makes it possible for hackers to piggyback on the trust between those two sites. "The same security should be applied to bridges as would be applied to public-facing portals," he added.
Insecure embedded Web application servers
Often people forget that the hardware they run, including printers and routers, have embedded Web servers in them these days. With them, users can check their status via a Web browser. The problem is, they're pretty simple servers that haven't undergone much security testing, Sutton said.
That means they're wide open for attack. For example, a switch could be configured to re-route traffic to the attacker.
Adding to this problem is the fact that the devices are rarely updated and patched. "No one updates their printer software like they do their desktop," Sutton said.
More Web 2.0 applications = more application threats
Web 2.0 promises to make Web applications more dynamic and interactive, but it also increases the possible threats to those applications, Sutton said.
"Any time an application has a vulnerability, nine times out of 10 it's because the user input isn't validated in some way," Sutton said. "With all of these Web 2.0 apps, all these inputs increase significantly."
And that gives attackers more ways to get in. Users may not see them as inputs because they act behind the scenes, but an attacker can see them.
It's imperative that developers pay attention to security as a Web applications become more complex, Sutton added.
Client-side attacks increasingly important
Client-side vulnerabilities are becoming more severe thanks to the explosion of phishing attacks and identity theft. Now a person can visit a bad Web site and their browser can get corrupt, opening the way for attackers to steal his data.
"People are starting to realize that client-side vulnerabilities are serious vulnerabilities, and there are challenges to fixing them," Sutton said. "If someone has to patch the browser for everyone in an organization, that's a huge challenge."
Expect more worms
Web application worms are excellent for blanketed attacks. They're yet another vector to gain access to people and their information.
They've especially become a threat to social networking Web sites that have relaxed rules on client-provided script so that members can code their own pages. Yahoo! and MySpace are two sites that have fallen victim to such worms.
Security needs to become more of a priority if those sites want to be worm-free.
Development frameworks need security controls
Another thing that contributes to the increase in attacks on Web applications is that more people are developing them because they're easier to create, but they don't have security expertise, Sutton said.
"The problem is, not everyone is a security expert so a lot of Web applications are going to be developed and a lot of security mistakes are going to be made," he said.
To remedy that, Web application development frameworks are going to have to take on some of the security burden, Sutton said.
"The Web application development frameworks need to take into account that they're being used by anybody, and most aren't going to have security knowledge," he said. "So, security needs to be embedded in them to protect the developers from themselves."