Vulnerabilities / Threats
9/22/2011
10:23 AM
50%
50%

Web App Attacks Rise, Disclosed Bugs Decline

Mismatch between vulnerability disclosures and actual number of new vulnerabilities strengthens case for using Web application firewalls and virtual patching.

The number of Web application vulnerabilities being reported in commercial applications declined by 25% from mid-2010 to mid-2011. There's only one problem: Analysis of new Web applications at the source-code level finds that the number of new vulnerabilities isn't actually declining.

Those findings come from a study released last week by HP's Application Security Center Web security research group, which is based on its source-code-level scans of 236 Web applications. It found that 69% of those applications had at least one SQL injection vulnerability, and 42% had cross-site scripting vulnerabilities.

As those results demonstrate, whatever the mismatch between reported vulnerabilities and still-unspotted bugs, there are plenty of errors for would-be attackers to exploit. "The number of vulnerabilities that are in existence in applications that we are scanning is just astronomically high," said Jennifer Lake, security product marketing manager for HP Networking, in an interview. Furthermore, attackers are exploiting them at an increasing rate. Indeed, HP saw a 26% increase in attacks--from mid-2010 to mid-2011--against Web applications.

[Will Windows 8 signal a death knell for third-party security software? Windows 8 Gets Security Overhaul.]

With more attacks, but fewer disclosed vulnerabilities, what can businesses do to better root out Web application bugs and block related attacks? Ideally, Web application vulnerabilities would be expunged from development code before the applications ever went into production or got sold. But getting tough on code errors--for example, to prevent SQL injection attacks--would mean having to rethink current development practices, upfront project cost, as well as time-to-market considerations.

"The primary reason we have SQL injection vulnerabilities is because application developers will construct a SQL statement on the fly. In really formalized application development, you usually have things like stored procedures that you would use to query the database, and those would be installed onto the database server," said Dan Kuykendall, co-CEO and CTO of NT OBJECTives, in an interview. "But for rapid application development, it's much more convenient for the developer to construct a SQL statement on the fly. That way he doesn't have to worry about the database admin and updating the stored procedures."

A related issue is that developers typically concatenate strings together. "The problem is that it then becomes difficult to validate the input," he said. For example, if the developer building a Web page uses a string such as "product.aspx?id=5"--which queries a database table for the product with the ID of "5"--then the developer should build the application to ensure that any such query can only be used to call a number. Otherwise, an attacker could rewrite the string to include other types of SQL statements, which might let the attacker crash the application or retrieve information from database tables.

"All of this could have been mitigated from the scratch by using a stored procedure, because then you're just serving values, and the SQL server will take care of it. The core problem is that people don't use stored procedures," said Kuykendall. Furthermore, a normal-size application may have 1,000 such SQL statements, all created on the fly. Meanwhile, the application will evolve, and developers move on. Meaning that over time, the potential for vulnerabilities keeps multiplying.

Accordingly, many businesses turn to Web application firewalls, to provide a layer of defense that uses signatures to watch for attack payloads. "The problem is the Web application firewall ... has a lack of knowledge about the application that it's protecting," said Kuykendall. As a result, many Web application firewalls users experience enough false positives--warnings about attacks that really aren't--that they choose to use the firewalls in alert-only mode, thus logging the potential attacks but not actively blocking them.

To help, multiple security vendors--including HP, IBM, and NT OBJECTives, among others--sell Web application scanners that run on the premises or in the cloud. These scanners automate the otherwise laborious process of identifying vulnerabilities in Web applications and then producing customized signatures to be loaded onto commercial and open source Web application firewalls that block the vulnerabilities. Such signatures could--per the previous example--ensure that any product ID request that doesn't include a number gets blocked outright, since it suggests that the application is being attacked.

Some businesses use virtual patches in lieu of the signatures that ship with Web application firewalls. "We have some customers that are purely using our filters, so they've turned off all the default filters, and that's an acceptable risk to them," said Kuykendall.

Ideally, virtual patches would be a short-term fix, buying developers time to fix the vulnerability itself in the application. That process--application development, quality assurance, production testing--takes time. But not every commercial Web application software developer or business that creates custom applications will fix its code in a timely manner. Furthermore, even if a business keeps its own code clean, third-party code predominates, and that's impossible to fully police. Accordingly, don't expect the practice of virtual patching to go away, anytime soon.

SaaS productivity apps are good to go--if you can get past security and data ownership concerns. Read all about it in the new, all-digital issue of InformationWeek SMB. Download it now. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.