Why does Web App Security Continue to Stink?

Monday, February 21, 2011

Andy Willingham

11146d62a6c31fb9fac8ac8ac991e08d

Everyone and every company has a web site now a days. Some are professionally done, some are made from DIY kits provided by the hosting provider and some are done from scratch by someone who claims to know what they are doing.

It doesn’t seem to matter who built the site most all of them have a common theme. Insecurity.

A joint survey and report by Barracuda Security, Cenzic and the Ponemon Institute that was released earlier this month confirms what we already knew. Web App Sec is still in the toilet. It’s high on everyone’s list of priorities but little is being done that actually makes a difference.

OK, so that’s not exactly a fair comment. Lots of things are done that do make a difference but they only solve part of the problem. The problem is epidemic and multi-faceted. When you look at some of the numbers it’s enough to make you get angry, cry and pull your hair out all at once.

I have my own opinion of why web app security is so dismal. It’s due to lots and lots of factors.

  1. Poor development and coding.
  2. Reusing insecure code.
  3. Inadequate testing.
  4. Improperly configured web sites.
  5. Improperly configured web servers.
  6. Improperly configured network devices.
  7. Insecure architecture.
  8. Lack of policies around all of the above.
  9. Lack of understanding of the risk by management, IT and even those responsible for security.
  10. Lack of understanding of the effectiveness of controls.
  11. Only doing enough to “check the box”.
  12. Following the advice of a consultant or vendor who doesn’t take the time to truly understand your needs.
  13. Buying a solution that is sold as the “answer” to your security problems.
  14. Relying on your hosting provider to take care of security.
  15. Not using defense in depth.

This list isn’t comprehensive but covers a lot of the bases. A lot of the security issues arise out of a lack of understanding of the problem and assuming that the advice of someone else (consultant, vendor) is going to keep you secure. It’s because companies are rolling out web based applications faster than they realize.

When you don’t even know how many web apps you have you have bigger problems than not knowing how to secure them. You have process  and procedure problems that need to be addressed. When you are deploying web apps at a rate that outpaces your ability to secure and monitor them then you have resource issues that need to be addressed. If you have resource issues then you probably also have a skills and training issue that needs to be addressed.

Security isn’t so hard that it can’t be done it’s just that it’s not important enough to be addressed seriously. It has been ignored for so long by so many that the problem has gotten out of hand. A company that brings security into the picture after the network is in place and apps have been deployed and now web apps are being deployed is already way behind the curve and playing catchup is never easy. It requires changes that may will break things. It requires money and inconvenience for users.

So what’s the answer? It’s not easy and unfortunately it requires lots of time and patience. It slows the release of new features and endangers deadlines. Things that most companies are not willing to put at risk. It requires that we spend money in places that provide no tangible returns. It requires that we change the mindset of the organization and our users.

Ultimately short of starting everything over and doing it right the answer lies with each of us doing what we can to secure what we are responsible for and to educate ourselves and those we work with. Create an agenda and plan and work with Management, the business, IT and your own security team to ensure that all are aware of the real problem and that all work together to make it better.

Cross-posted from: http://www.andyitguy.com/blog/?p=982

Possibly Related Articles:
13568
Webappsec->General
Web Application Security Web Application Firewalls Networks Controls Defense in Depth Website Security
Post Rating I Like this!
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley This is spot on - 'When you don’t even know how many web apps you have you have bigger problems than not knowing how to secure them. You have process and procedure problems that need to be addressed. When you are deploying web apps at a rate that outpaces your ability to secure and monitor them then you have resource issues that need to be addressed. If you have resource issues then you probably also have a skills and training issue that needs to be addressed.' which I fear maybe true of many an enterprise.

Also think problem (from a technical point of view) is developer education. Have been shocked to hear web developers say they are not aware of http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project or worse the education facilities OWASP provides on developing secure web applications...
1298364231
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.