'Re: [WEB SECURITY] Justification for Web Application Security Programme'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    Re: [WEB SECURITY] Justification for Web Application Security Programme
From:       Jeremiah Heller <jeremiah () itmustbe ! com>
Date:       2010-01-22 22:43:26
Message-ID: 4B5A2A0E.8050303 () itmustbe ! com
[Download RAW message or body]

Hi all, long-time trawler, first-time writer.

I also agree w/ the sentiments here. I don't think that automated 
scanners will do much though, perhaps if they were more accurate and 
could guarantee that no more than 5-10% of results are false positives.

Installing insecure scripts is a relatively minor issue if people 
installing them don't understand fully what they are doing. It is just 
as easy for them to install a script written by a potential attacker. 
This potential attacker would likely secure their script from attack to 
prevent other attackers from moving in on their turf.

Requiring business-site owners to buy an add-on with their hosting 
package would likely give the site-owner pause as they consider whether 
they really need to work with this company. I think the common 
perception among potential customers of such a company would be that the 
company was simply trying to nickel and dime them to death.

In my experience, most people setting up a web-presence for the first 
time believe that it is like most commodities. You pay for it and you're 
set. First-timers (again, ime) are rather focused on the business-side 
of things (keeping costs down, moving quickly, building customer-base), 
believing that they can clear further hurdles at a later time when needs 
arise - smart business right? Just not smart tech-based business.

They do not understand that this technology-stuff is all still very 
experimental. I believe many expect it all 'to just work', especially if 
they've paid money for it.

Without legislating or otherwise regulating the hosting companies or the 
hosting customers I doubt any hands can be forced in this arena. Making 
profits is of more interest to most hosting companies than is providing 
& maintaining a secure environment. A minimal level of security is 
necessary because the hosting company would otherwise go out of business 
in responding to/recovering from hacks. Protecting each individual site 
hosted is difficult to say the least. Automated scanners, WAFs and the 
like all require a bit of knowledge about the site they are 
scanning/protecting and it's not like the hosting company and hosting 
customer can sit down and come up with a risk analysis.

That said there are common attacks that most sites face. These can be 
blocked rather easily with a WAF. Server-wide monitoring is also rather 
easy w/ a decent HIDS. These tools, combined w/ other basic ideas like 
system/service hardening, rootkit/virus scanners, patching and 
due-vigilance can provide a decent blanket which hosting companies can 
use to protect their customers without charging for add-ons or needing 
to know what each customer's site is about (assuming the WAF protects 
against generic attacks).

Even then, there is still the risk of successful attacks, particularly 
by way of hosting customer's personal pcs. Site credentials (eg FTP, 
SSH, basic-auth) are relatively easy-pickings if the hosting customer 
runs ineffective or outdated av software, or simply visits a malicious 
or compromised site.

Which brings it all back to educating the user-base. The problem (I 
believe) is that the user-base in general likes being a user-base and 
aren't that interested in the nuances of computer/network security.

If there were a single strategy that would solve even a minimally 
significant number of security issues for all sites everywhere, then I 
believe hosting companies would adopt it on their own, assuming they 
were aware of it and the benefits of deploying it outweighed the costs 
of implementation and maintenance.

Not all (hosting) companies are created with the intent of serving the 
public good. This was required by law some 50 years ago in the US but no 
longer. Some will foster practices which provide quarterly growth even 
if this erodes the security/sustainability of the industry - in other 
words, buyer beware. If a buyer is to beware than they must have some 
awareness of the situation they are entering into. Barring that they 
must have the desire to become aware of the new situation. Barring that, 
they will be a likely mark for predators. This goes for hosting 
companies and customers alike.

So my answer to the question would be by:
- continuing to raise awareness within the public conscious,
- sharing information out between researchers, vendors and providers of 
recent, current and potential attacks and mitigation techniques
- pretty much keep doing what's being done and improving on it

Raising awareness w/in the public conscious is probably the least 
addressed as I see things. If the general public were aware enough to 
ask more than "do you scan for virii" I believe more hosting companies 
would be forced to address the issues of site security. Automated 
scanners have provided an easy way-out for many site-owners/hosting 
companies, since customers assume they are secure if the 'security 
badge' shows up on the site.

It also doesn't help matters that banks don't really mention PCI much 
when a customer of theirs opens a merchant account. I've experienced 2 
such institutions who mentioned PCI in passing, then blew it off when 
pressed, saying stuff like "oh that's not very important". Of course the 
bank doesn't dare educate their merchant customers too much as the cost 
of achieving PCI compliance would prohibit many small businesses from 
processing cards.

Curious what other experiences are...

On 1/22/10 8:41 AM, Schmidt, Chris wrote:
> I agree, but in today's world it really isn't a reality.
> 
> Most "Ma&  Pa Shops" will have a friend or family member help them get setup with \
> cheap hosting, and a simple web page. The friend or family member will often google \
> for how to build a contact us form, or a simple shopping cart script for the \
> website and plug it in to their website without really knowing what it is the code \
> is doing. Should they be expected to? No, absolutely not. We live in a world where \
> anyone with $5 in their bank account can bring up a web site in 10 minutes, and \
> there is really nothing wrong with that world. 
> The answer is that the hosting companies need to ensure that the *basic* sites \
> hosted on their servers are not vulnerable to things like the OWASP Top Ten. \
> Provide an add-on service to business customers that is a requirement of having a \
> hosted site to scan their site regularly for vulnerabilities. 
> I don't want to make any numbers up, but I would be willing to bet that a very \
> large percentage of compromised websites are small, simple, hosted sites using \
> scripts downloaded from random script repositories on the internet. I am sure WASC \
> could provide some interesting statistics around this statement. 
> The question is, how do we, the Application Security Community, force the hands of \
> the hosting companies to implement the strategy into their *BASIC* services? It is \
> as much for their benefit as it is the benefit of their clients, as a compromised \
> site most of the time will give the attacker some type of shell access (whether \
> than be from an uploaded r00tkit or from something like C99) 
> Thoughts?
> 
> -----Original Message-----
> From: Mcgregor, Robert Todd (Rob) [mailto:robert.t.mcgregor@verizon.com]
> Sent: Friday, January 22, 2010 7:14 AM
> To: websecurity@webappsec.org
> Subject: RE: [WEB SECURITY] Justification for Web Application Security Programme
> 
> I would say "NO" to this as all systems should be secured. All systems should in \
> fact be properly secured including the smallest of business as well as the users \
> that feel their systems will never be a target in order to ensure their systems are \
> not used as cuckoo's nest.  In other words, if a network or user felt their system \
> was not any sort of target is quite incorrect and may fall victim to someone \
> storing child porn on that target system, I have personally investigated this very \
> type of issue.  Any good hacker or criminal will not store their images or criminal \
> activity on their own computer, rather they will find other servers and systems to \
> cuckoo thru.  This will lead the authorities to the victim system rather than the \
> criminals system. 
> It is an older book to read, however a good read at that, titled The Cuckoo's Egg: \
> Tracking a Spy Through the Maze of Computer Espionage. 
> Hope this helps and makes sense.
> 
> Cheers,
> [Rob] Robert T. McGregor, CISSP
> 
> 
> -----Original Message-----
> From: Bil Corry [mailto:bil@corry.biz]
> Sent: Friday, January 22, 2010 1:37 AM
> To: websecurity@webappsec.org
> Subject: Re: [WEB SECURITY] Justification for Web Application Security Programme
> 
> spawn of soul calibur wrote on 1/20/2010 10:45 PM:
> > Does anyone has any idea on a good justification?
> 
> There were a lot of interesting answers, I'm curious if there is ever a valid \
> justification for NOT implementing a webappsec program (assuming they have a web \
> presence of some sort)?  For example, does Grandma selling cookies through eBay \
> need a webappsec program? 
> 
> - Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic