Code Red, Nimda, and SQL Slammer are three of the most well know worms that had a massive impact on the Internet. The industry has considerably improved since then, and it’s much harder to target operating systems in the past few years. Automated patching, vulnerability scanning, sandboxing, compiler, and memory management techniques improved by adding a layer of security and making exploit writing harder. A straightforward and easy to vulnerabilities in the infrastructure are almost non-existent and even when found the level of complexity required to exploit it on multiple systems reliably had grown exponentially.
Threat actors do not stand still
The threat actors are evolving as well. The traditional hacks for fun and profit, a.k.a. see how far we can spread this thing are few and far between. There are more sophisticated attackers nowadays whose goal is financial gain, and the Web is the perfect place for this. There are all sorts of sensitive personal and payment information processed, transmitted and stored by Web applications. I am sure that your personal data is there on some Web application right now.
Old problems in a new world
The widespread of web apps means new propagation channels for next generation of malware or worms. A growing number of popular websites with good reputation become compromised with the site owners having no knowledge of it. The site is then used to launch drive-by attacks where the malicious code on the web site attempts to covertly install malicious code on computers of visitors to the site.
The low hanging fruit
Software teams are turning to agile software development methods to improve velocity and deliver results quickly. Agile methods should generally promote a disciplined project management, but the reality is quite different. Web applications are put together in a rush with little attention given to security and defensive programming. A whole new ecosystem of web frameworks has sprung up to existence that prioritises quick results and ease of use over security. Many applications are so exposed that an attacker requires only very simple file inclusion exploits. That’s the reason why some people are exploiting them rather than targeting the underlying infrastructure. It only takes minutes to understand a typical web application’s coding errors. By nature, web applications to be successful must be indexed by Google and other search engines. It is a double-edged sword. A simple search for vulnerable installations may reveal more candidates with a similar vulnerability. In just a few minutes, an average attacker with little talent and even less time can compromise a typical web application.
No silver bullet for AppSec
There are no silver bullets for ensuring web application security. No amount of network hardening, platform auditing, or vulnerability scanning can compensate for bad programming. Understanding the limitation of any automated application security tools is also essential. Tools like SAST, DAST and IAST are not technically capable of finding the types of vulnerabilities found by penetration testers or your QA team. Automated tools are not capable of identifying access control flaws or business logic issues. Robust application security is essential to the long-term survival of any organisation. Application security begins with secure coding and design, continues with security activities embedded in the software development lifecycle and is maintained over the life of the software.
It takes skill and manpower to design, review and test web applications. I’m afraid there are no shortcuts, it’s twisty and hard-to-follow route to success.