Why Are Web Applications a Security Risk?
The CTO of Qualys explains how the shift from traditional to Web applications will require developers to raise their security games.
As users have moved more of their activities to the Web, fraudsters have followed, devoting more of their attention to creating security threats based on Web applications. The shift from desktop-based threats to Web-based threats is changing the way modern IT security needs to be implemented and managed.
Web applications by definition are accessible over the Web and the HTTP protocol. So they present more security challenges than desktop applications, which are far less accessible and typically have their own unique file formats.
In an in-depth interview with eSecurity Planet, Qualys CTO Wolfgang Kandek, detailed his views about the current state of the Web application security landscape. While Web application threats and attack vectors are for the most part well known, fixing problems isn't always easy.
The Web Security Challenge
"Web application security is much more challenging than infrastructure," Kandek said. "With infrastructure, we usually can say you have a problem and here is the patch for it."
In contrast, there is typically no easy or quick fix for the custom-coded Web applications Qualys sees from many of its customers. Fixes for custom code involve more time for quality assurance. Qualys is currently working on a solution for that issue with a Web Application Firewall (WAF) product to bridge the gap in time between vulnerability detection and patching.
The top Web application vulnerabilities occur and re-occur time and again, Kandek noted. Items such as Cross Site Scripting (XSS), SQL Injection (SQLi) and file inclusion are common vulnerabilities and show up frequently. In his view, the majority of Web application security problems can be solved by applying well known security technology approaches.
Protecting Developers from Themselves
"The technology is there, the education is not there," Kandek said.
He said many developers develop code without security in mind. This isn't the developer's fault, however, as he or she must contend with lots of competing pressures and components.
It would be difficult to entirely insulate developers from their own security-related missteps, Kandek said. Developers must be educated on how to code securely.
That said, Kandek added that companies can have an application architecture where components that have a security risk are written by security experts. Application code could then communicate through a well defined and properly secured API.
"We can do Web Application Firewalls and they can help, but they aren't a final solution to the problem," he said.
Virtualization and process sandboxing approaches also aren't necessarily a great way to boost Web application security.
"If I want your data and the Web application has access to the data, there is no sandboxing or virtualization that will help you against that," Kandek said. "If my objective is to control the machine and the Web application has a vulnerability, then these measures might help and prevent me from abusing the vulnerability to exercise control over the machine."
Web applications can be hosted on multiple types of operating systems, including Linux and Microsoft Windows. According to Kandek, both Windows and Linux have their share of security concerns.
On Linux, SELinux provides a form of mandatory access control that can lock down applications. While that can be helpful for thwarting system level attacks, SELinux might not help if all the application is trying to do is get at data, Kandek noted.
"I see SELinux as good security infrastructure measure, and it helps a lot for people that are trying to take control of the machine that the application runs on," Kandek said.
In addition, PHP on Linux has a reputation for being an easy development language, meaning it may also be easy to write insecure code.
Older Microsoft technologies often had issues with ASP pages, Kandek said.
Sophisticated Web Attacks
From a big picture perspective, Kandek worries about the challenge of facing attacks from more sophisticated adversaries. In the fight against more advanced threats, it's imperative to take a holistic look at the attack surface and have sophisticated log analysis capabilities.
"So if you have your infrastructure hardened and your applications are well developed, then it would make sense to invest in a team that looks through the logs and tries to find patterns in there," Kandek said. "The tools are becoming available in that area, but I don't think they are easy to use yet and they require trained users."
Watch the full interview below:
By Jeff Goldman
June 15, 2012
The QualysGuard Private Cloud Platform is sold on an annual subscription basis.