By Professor Howard A Schmidt, Director of Fortify Software.
The golden age of hackers and cybercriminals driven by a desire to embarrass website owners or cause mindless e-vandalism is hopefully a fading memory. Today, e-crime is the domain of organised gangs, often from countries that are difficult to get help from, with a sole motive – to steal money and goods. Cybercrimes, and the cybercriminals that perpetrate them, have evolved. To protect the organisation from today’s attack, methods and attitudes must evolve too. According to Gartner, 75% of security breaches are due to flaws in software.
One of the major security problems faced by organisations today is that the business applications needed to run the business are also the very applications making it insecure. Cybercriminals have identified this and are now focusing all their attentions on application-layer vulnerabilities. It’s a problem that simply can’t be ignored.
The main target of cybercrime today is e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims. A total of 143,757,645 database records have been reported to have been exposed since 2005, yet many incidents go unreported and unnoticed.
The big growth in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Primarily those applications have been put together as quickly as possible with the main aim to get a working system up and running, often without sufficient thought given to the security implications.
Six years ago, when Microsoft and other vendors made security a priority, operating system and network-layer vulnerabilities have become harder to find. Of course weaknesses still exist, but they’re more frequent in the application layer, predominantly in Web 2.0 applications. That said, exploitable errors can appear in any type of code however Web 2.0 apps, which companies are increasingly reliant upon, tend to be particularly vulnerable when not coded with security in mind.
Many Web applications make use of JavaScript, for example, which was primarily designed for portability. In a recent report, "Why application security is crucial," released by U.K.-based research firm Quocirca, it reveals that: "One of the key security problems with using JavaScript is that it can be manipulated by attackers in order to gain access to the information being transported."
Another problem, confirmed by the Quocirca report, is that Web 2.0, or Ajax, applications tend to rely on a large number of modules and higher-level interaction than traditional programming languages, adding complexity and increasing the possibility of programming errors. The report states: "The large number of small modules also makes Ajax more vulnerable to attack as it increases the overall attack surface, with each request for information and response representing a potential attack vector."
The research firm conducted its study in December of 250 senior IT executives in Germany, the United Kingdom, and the United States. It found that among respondents developing Web 2.0 applications, "a significant number are reporting that they are encountering vulnerabilities that are specific to new programming languages and this can actually increase the overall number of vulnerabilities to which the organisation is exposed."
A firewall will happily let someone access an insecure Web application if they meet all the criteria for being allowed in. Surely this can’t be allowed to continue. We need to focus our efforts into building secure applications in the first place, which can’t be compromised. Perhaps the decision on whether someone should be allowed to use an application should be based on whether that app is secure, not on the user’s IP address or the port they’re trying to connect to.
As the move to online applications expands beyond online shopping, the need for secure applications will become even more important. If an e-voting application allows someone to vote twice if they enter a couple of thousand random characters as their surname, a firewall isn’t going to help.
As cybercriminals continually up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems. During the same period, research carried out at the University of Maryland found that a computer system connected to the internet was typically subjected to an attempted hack every 39 seconds.
So how can we make our web-based applications more secure? Historically, software developers have always been so immersed in trying to make the software bug proof and resilient they have not focused on the security side. It is now time to change this approach. To illustrate the point, I can buy a jacket with a tag that identifies inspector number 16 has checked the item for imperfections — I can’t get a similar certification for code.
More effort is needed to design secure applications, and to use proper procedures (as well as automatic software solutions) to test them. A 2007 report from NTA Monitor found that 90% of UK-based company websites harboured at least one weakness that could allow hackers to gain unauthorised access. The same research also found that a third of those websites exhibited vulnerabilities which are known to, and used by, cybercriminals across the web. No doubt the hacker community has been busy discovering how to exploit the other two thirds.
Using automated security tools when developing software lowers the overall cost of IT security. The US government has listened to this argument, and has concurred, with many federal agencies now starting to demand code analysis and I wouldn’t be surprised to see a move to independent labs in the future validating code.
Referring back to Quocirca’s study, commissioned by Fortify, it revealed that "Over 10 per cent of U.K. respondents spend more than 15 per cent of their IT budget on security — but are the least likely to use automated tools for application security. Conversely, 96 per cent of German organisations spend less than 10 per cent of their IT budgets on security and make the most use of automated tools for building security into applications during the early stages of the software development life cycle."
The internet is here to stay, and so is internet crime. As the relentless move online by all sorts of business and government agencies continues, e-crime will carry on evolving. With more coffee shops and libraries offering free, anonymous WiFi access, tracking down cybercriminals will get harder. So as hackers evolve, so must our efforts to defeat them. Automated security tools are the best way to reduce application-layer vulnerabilities.
We know now what to do and how to do it, we just have to get it done.
