Comment: Web Vulnerabilities – Vector of Choice

Web security receives a relatively small proportion of IT security budgets, even though the web is emerging as a key vector for attack, says Maakaroun
Web security receives a relatively small proportion of IT security budgets, even though the web is emerging as a key vector for attack, says Maakaroun
Aziz Maakaroun, Outpost24
Aziz Maakaroun, Outpost24

To say that the security threats facing businesses today are forever changing is somewhat of an understatement. While a few years ago, IT security headlines were dominated by lost laptops and email-aware worms, today’s media focus has shifted to stories about poor website and web application security.

Recent high-profile victims of hacks where the web was the attack vector include, among others. household names like Nasdaq and eHarmony. In Nasdaq’s case, cybercriminals exploited vulnerabilities in its “Director’s Desk” web application to gain access to sensitive materials, whereas eHarmony’s breach was caused by hackers using an SQL injection vulnerability in a secondary site – allowing them to steal username and password information.

While only a small proportion of users were affected in this second example, the potential of such a breach cannot be ignored. Indeed, the Ponemon Institute values the cost of a data breach at an average of £1.68 million per incident. However, this value does not take into account the further potential damage to an organization in terms of reputation and future business lost, let alone the risk of alienating current customers.

If global brands like these are falling victim to such attacks, you have to question how prepared other organizations are to meet this growing threat.

The Nature of the Threat

The rise of the web as a major vector of attack should be no surprise. Organizations’ growing reliance on the web – not just to provide a store front, but also to develop enterprise applications – means hackers have the widest possible choice of potential victims to target. Furthermore, while the open nature of the web makes it relatively easy to develop new applications, it also means that these programs are comparatively simple to exploit.

To put the size of this threat into some context, recent IBM statistics have revealed that web application vulnerabilities made up more than half of all vulnerability disclosures in 2010, with cross-site scripting and SQL injections emerging as the most common threats posed by such vulnerabilities.

Locking the Gate After the Horse Has Bolted

Another reason why hackers choose to exploit web vulnerabilities is that companies continue to weight their security investments in favor of reactive security measures – for example, intrusion detection, anti-virus software and encryption. While there is no arguing that these products are absolutely fundamental to enterprise security strategies, they fail to proactively address the new wave of web vulnerabilities affecting systems today. In contrast, web security receives a relatively small proportion of IT security budgets, even though the web is emerging as a key vector for attack.

To improve their defenses, it is clear that organizations need to redress the imbalance between the risks posed by poor web application security and the resources spent proactively spotting and remediating these vulnerabilities.

The Cloud As the Solution

The big question that remains is how organizations can fund these new deployments with already stretched security budgets? A recent Gartner report has indicated that organizations will be able to reduce their security budgets by as much as 6% during 2011, but only if they have ‘very mature and recently updated’ security systems. If other organizations want to achieve similar savings, the key will be to stay on top of current security threats, such as web application vulnerabilities, before they escalate into full-blown and expensive breaches.

Cloud-based web application scanners have a crucial part to play in minimising the risk posed by web server flaws, as well as the more high-risk and complex threats found within web applications. Designed to test for vulnerabilities in web application software, such products mimic the role of a malicious hacker, looking to exploit weaknesses in system architectures. Reports are generated detailing any flaws found in the system, and what can be done to remedy them. Referring to a database of known vulnerabilities that is constantly updated, web application scanners provide a much needed additional layer of security for companies looking to protect themselves from all types of vulnerabilities.

In addition, cloud-based solutions are easy to scale and deploy, and can be continuously updated –
making it all the more surprising that organizations like Nasdaq and eHarmony had no (or not entirely effective) testing systems in place. This flexibility is in stark contrast to the traditional approach of manual testing that is carried out by white-hat hackers. Not only is this costly and time consuming, it is typically only carried out annually, leaving long periods when companies are dangerously exposed to new vulnerabilities. Web application scanners therefore provide the flexibility for organizations to run scans on a regular basis. By using a combination of manual and automated testing, organisations are provided with the most comprehensive protection.

Ultimately, all companies must look for all possible points of weakness in their systems, running internal and external network scans as well as routinely assessing the security of web applications. This proactive scanning is a crucial part of the security ecosystem that modern companies must deploy if they are to avoid costly and reputation damaging security breaches. To overlook this vital part of a company’s security infrastructure is potentially leaving the door wide open to attack – an issue companies would be wise to avoid.


Aziz Maakaroun is business development director at Outpost24, a global leader in vulnerability management. Maakaroun is a managing partner and a founder of Outpost24 UK, and has been with the company since 2002.

What’s hot on Infosecurity Magazine?