For the past couple of years, companies such as Sanctum and Gilian Technologies, and more recently KaVaDo, have been warning that Web applications represent a significant security threat that most companies aren’t aware of. Now research from the security consulting firm @stake, Inc. seems to prove they are right.
@stake studied 45 e-business applications that were responsible for generating $3.5 billion in revenue for @stake clients. The idea was to find vulnerabilities in the applications themselves, as opposed to surrounding network infrastructure, that could lead to security breaches.
From those 45 applications, @stake found nearly 500 “significant” security defects, with an average of at least 10 per assessment. Seventy percent of the defects were due to design flaws in the applications and nearly half of the most serious flaws could have been caught and fixed in the application design phase.
@stake identified a number of common application security problems. One is that most companies don’t provide secure authentication and access control features. Many allowed passwords to travel over the network unencrypted and 27% lacked password controls or policies sufficient to thwart brute-force login attacks.
Overall, @stake found that 62% of the applications suffered from some vulnerability that allowed access controls to be bypassed.
Nearly one-third of the applications had vulnerabilities that made them susceptible to a type of attack known as session hijacking. A session identifier is used to keep track of a given user as he browses a site. If this identifier isn’t encrypted, as @stake found was often the case, hackers can steal it to hijack the session and essentially assume the identify of an authorized user. Because the user has already logged in, no password is required.
The third major type of vulnerability, found in 71% of the applications analyzed, is cross-site scripting. This can happen when an application doesn’t have in place a facility to ensure that all user-submitted data, such as values entered in a Web-based form, conforms to the values the application expects prior to processing.
This would prevent attackers from submitting Web forms that contain embedded HTML, JavaScript or overlong strings that can cause the Web server to fail or enable an attacker to gain control of one or more networked servers.
Companies that fared best in the @stake examination tended to focus early in the design process on user authentication and authorization, have an inherent mistrust of all user-submitted data, encrypt sessions end-to-end and encrypt data even while it is at rest, and put a focus on security quality assurance.
The complete @stake report, titled “The Security of Applications: Not All Are Created Equal,” is available at: http://www.atstake.com/research/reports/index.html#atstake_app_unequal.