igor - Fotolia
Of those organisations that are testing web applications, many are still using outdated methods that were developed for early web applications.
One of the biggest problems, said Kuykendall, is that many information security professionals do not fully understand web apps.
“Many have a background in networking and network security, where the mindset and model for management and discovery is scanning for known vulnerabilities,” he said.
But web application security mainly involves dealing with custom applications for which there are no known vulnerability checks, he said, which means web app scanners need to be more heuristic to learn the app under investigation and try to understand it to identify its particular vulnerabilities.
Kuykendall said this was a lot more manageable with early web applications because it was relatively easy to analyse static web pages and attack their parameters.
But the world has moved on and the web has changed dramatically in the past five years, he said, moving to a much more interactive user experience.
Challenges behind the user interface
“The challenge is that now there is a lot of stuff happening behind the scenes. It is no longer one web page for one request. Instead, you have a web page that loads up, but as the user does things, the web page is making calls to a server, getting more data and then updating itself,” said Kuykendall.
The problem is that web application security is not getting the focus and attention it needs, he said, because many information security people do not understand the programing models being used.
“Although some developers are starting to go into security, which will help address this issue, most of those in security are struggling because they have never been programmers and, at the same time, developers do not fully understand all the security issues,” said Kuykendall.
The problem is being exacerbated, he said, by the fact that nowadays in addition to web apps, there is an increasing use of web services or Restful application programming interfaces (APIs).
“There is therefore a growing gap in what security people with non-programming backgrounds understand and can handle, and what developers understand about the security risks,” said Kuykendall.
Security lessons from watching web traffic
To help close this gap, Rapid7 has developed an open-source project called Hackazon, which is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.
“Hackazon uses various Restful interface models, such as Google Web Toolkit, to enable users to experiment with hacking on a modern-looking web application that has intended vulnerabilities,” said Kuykendall.
Hackazon also has a mobile client to enable users to become a man-in-the-middle and see the web traffic between the mobile app and its server.
“Then can then start attacking that and get the experience of testing mobile back ends to help educate the security community and give them some resources to play with and get up to speed,” said Kuykendall.
Hackazon can also be used by developers, he said, to understand that when they are using these modern frameworks, all of the data transfers are invisible to them.
“I was recently talking to someone who has been a web developer for 10 years, but he had never before seen what an HTTP request looked like. He had never looked at the network traffic because the tools do not make that mandatory, so the concept that the data was not coming from his mobile app and could be forged by an attacker was unknown to him,” said Kuykendall.
Helping developers secure their code
Hackazon documents the vulnerabilities and can help developers see what an attacker can do and how they can change the way they code to protect their apps and make them more secure.
Hackazon can help enterprise security teams understand that they can no longer rely on web application firewalls (WAFs) that were developed for early web applications.
“Many of the WAFs are not yet capable of handling the Google Web Toolkit and XML traffic they are seeing coming through, making the WAFs ineffectual,” said Kuykendall.
As a result, he said, organisations have to do a lot of code remediation, which is difficult. “Through Hackazon, we are focusing on trying to enable developers to fix vulnerabilities, because they are the real defenders and most of them want their code to be good.
“Once they know vulnerabilities exist and how to fix them, they are happy to do it to make their code better, because most of them take pride in their work,” said Kuykendall.
Some verticals like financial services and healthcare are already taking more care over the security of web applications and web services, mainly because of regulatory pressures, but in other industries the emphasis is still on getting new features and applications to market as soon as possible and progress is slow.
“Hackazon is aimed at raising awareness and making it easier for developers and security people to understand because although the issue is beginning to get more attention as the general awareness of information security is increasing, it is just not happening fast enough,” said Kuykendall.
Companies are exposing APIs for business reasons such as enabling customers to place orders, but he said many of these are still not being security tested.
“Companies are running headlong into this major ecosystem, particularly when it comes to mobile apps, and it is like the web in the late 1990s all over again where development is happening at a rapid pace without enough attention to security,” said Kuykendall.
Read more about web application security
- CISOs are becoming more concerned about web application security, but there is still a long way to go, says Owasp.
- Expert Michael Cobb discusses numerous open-source and low-cost web application security testing options for enterprises on a budget.
- Does a web application security assessment termed 'compliance-ready' seem too good to be true? Learn its role in an enterprise compliance programme.
- Nearly half of all web application cyber attack campaigns target retail applications, shows a study from security firm Imperva.