informa
/
Risk
News

Web-App Phobia

Multiple conditions have turned Web applications into a much riskier proposition

5:55 PM -- I've often thought there are only a handful of people doing most of the security research that is being published. Last week that seemed to be the case. PDF reader is a ubiquitous plugin on most people's computers. It has such a high user rate that it is often incorporated into the operating system upon arrival. Unfortunately for users of Firefox, PDF reader suffered a huge blow a few weeks ago when Stefano Di Paola and Giorgio Fedon disclosed a cross site scripting vulnerability at the Chaos Computer Club in Germany. (See When Your PDF Reader Turns on You.)

At first it was a low rumble with only a few people taking note of the flaw, which at that time would make any Website that hosted a PDF file vulnerable to a XSS attack. Then the security community picked up on it and it became explosive. Adding insult to injury, I then found a location on the local drive that using a vulnerability in QTL files can be exploited to allow an attacker local-read access to the computer in question.

JavaScript malware is the new enemy. For the first time I am finally seeing network security people raise their heads and look at the Web application security world with fear in their eyes. It's true, for the first time in a long time, network security is virtually powerless to fix a security problem.

Antivirus companies, anti-spyware companies, browser companies, network security companies, and in-house Web development staff all have a role to play in fixing these issues, but the braintrust is limited. According to Jeremiah Grossman there are approximately 6,675 Web application security professionals needed to complete PCI compliance alone, while there are in actuality only hundreds to low thousands who are qualified to do source-code auditing. Only a small handful of those are actually doing research.

That means for every new developer entering the workforce there is even less security braintrust per line of code written because all the available Web application security engineers are being paid to get companies into compliance. And that means more and more buggy code will make it to production and there will be more severe vulnerabilities.

Things just aren't scalable right now. Demand has currently overwhelmed the supply of talented Web application security experts. I too have been tapped to help with compliance contracting, drawing yet one more researcher away. Unfortunately, research doesn't pay the bills quite like a company that's about to get fined by Visa for failing compliance.

On top of that, add the fact that more applications are becoming Web enabled (the major reason for PDF's vulnerability was the inclusion of JavaScript). You will see more chat clients that are Web enabled, more authoring tools that connect to the Internet, etc. I have even seen Quickbooks connect to the Internet to send email. If accounting software can already connect to the Internet there is no stopping the trend. DHTML malware will continue to be the greatest growing threat, especially without professionals to detect and stop it.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5