This is an archive post from the Netsparker (now Invicti) blog.
Please note that the content may not reflect current product names and features in the Invicti offering.
It's an old saying but it's been revived in information security circles lately: you have to find every security flaw but a malicious hacker only has to find one.
It's the harsh reality we face today it's at the forefront of web application security
Underscoring the exposure, the Verizon 2013 Data Breach Investigations Report found that 78% of the intrusions they analyzed were considered low difficulty, which means "low hanging fruit" type web application vulnerabilities were exploited. Web-based attack vectors are going down according to Verizon – making up only 22% of hacking actions analyzed. However, the 2013 Trustwave Global Security Report found that web applications were the most popular attack vector, making up nearly half of all investigations. Whichever side you believe, the old saying rings true with our websites and web applications today: any given web system has a lot of moving parts, is most likely rife with flaws, and all a criminal needs is one way in.
As much as we'd like to think that our web environments are relatively simple, they're really not. Web environments are unique in that the attack surface is basically unlimited. From front-end perimeter security devices to the web server itself and on up to the database and application layer at the top, there's a lot of exposure. There are also a lot of people involved in any given web system which further complicates matters. As much as management would like to think that their web environments contain nothing of value that hackers would want (an all too common assumption), they're woefully misinformed.
This very moment, your web-based systems (both in-house and those hosted/managed by third parties) are a hotbed for manipulation and exploitation. All someone with ill intent needs is to stumble across one of the many common flaws that plague a large portion of production, development, and test environments such as:
- Weak passwords that allow attackers to mimic legitimate users, and thus, not generating alerts
- XSS and cross-site request forgery that can be manipulated to gain indirect access
- SQL injection that provides a direct path to the sensitive data stored in backend databases.
- Content management systems that have never been tested for security flaws because it's assumed that others are taking care of them (more information on Are Hackers a step ahead? An analysis using web application vulnerabilities)
- Missing patches that can facilitate remote command prompt access to servers
- Firewall and server misconfigurations that can lead to denial of service attacks and other inadvertent exposure
A large number of these flaws are external-facing. Given that the Verizon report found that 92% of security incidents analyzed were perpetrated by outsiders, it'd behoove you to see what the world can see (and exploit) and make sure those web security holes are plugged. You also have to consider what else is happening in your internal web environment that goes undetected or unreported. There's probably a lot going on right under our noses.
Interestingly, more and more IT and development businesses are admitting that their environments have become so complex that not a single person fully understands all the moving parts. There are certain web systems that no one even knows what they're used for. The bigger problem is that no one is willing to step up and fully account for the what, where, how, and why of these systems.
One thing is certain, web complexity is growing, especially as codebases evolve and business processes mature. Even moving to the cloud introduces its own variables into the security equation. Web complexity correlates well with web risks. That's your biggest enemy. The question is: what are you going to do about it?