THE TOP FIVE MYTHS OF WEBSITE SECURITY

A Focus on Small-to-Mid-Sized Enterprises Plus Recommendations to Help Your Security Managers, Business Managers and Software Developers Improve Your Website Security
January 2013 Jeremiah Grossman Founder and CTO WhiteHat Security

WH IT E PAP E R

Copyright 2013 WhiteHat Security, Inc.

THE BIGGEST MYTH ABOUT WHOS NOT AT RISK FOR WEBSITE ATTACKS
Since this whitepaper was published in December of 2011, youve probably seen headlines almost every day about new attacks against well-known commercial and industrial websites around the world. Actually, thats hardly news at all to companies in the business of providing Web security. What is new, however, is that so many of the attacks have been directed against small-to-medium-sized enterprise [SMEs]. In fact, what we are now finding at WhiteHat is that hackers are focusing their attacks on SME websites. And that the SMEs under attack often believe in the same Top 5 Myths of Website Security that continue to plague the entire online industry. The main purpose of this whitepaper is to once again set the record straight: All commercial / industrial enterprises with a presence on the Web are now at risk of being attacked with the results often being financially disastrous. Typically, SMEs are identified as organizations whose annual revenues total less than $500MM. And while the financial losses due to a Web breach on paper to an SME may appear to be less significant than a massive loss such as a recent Fortune 500 companys loss of at least $1.5 billion the impact on a small-to-medium-sized company can be even more devastating. As an example, in September of 2012, Bitfloor, the top US Bitcoin exchange, suffered a security breach resulting in the theft of Bitcoins worth over $250,000. And while the loss of Fortune 500 breach mentioned above was 6,000 times more than the Bitfloor theft, the much smaller Bitfloor breach almost put the company out of business.1 And why was this breach of security able to nearly create the situation of Sorry, Were No Longer in Business for Bitfloor? It happened because Bitfloor, as an SME, operates its entire business, including providing all of its customer service, via its Web applications. In fact, like Bitcoin, most SMEs conduct their business exclusively on the Web, and therefore must keep all of their applications secure 24/7. A second instance of a mid-sized enterprise that was hacked occurred in May of 2012, when the hacker group UGNazi stole thousands of passwords and credit card details from billing and customer support provider WHMCS. The company markets itself as an all-in-one client management, billing & support solution for online businesses. Handling everything from signup to termination, WHMCS is a powerful business automation tool that puts you firmly in control. The attackers tricked the companys hosting provider into releasing administrator credentials, which UGNazi then used to access WHMCSs database and steal over 500,000 hashed customer credit card numbers and passwords, usernames and support tickets. That data, as well as WHMCSs control panel and its website information, were dumped online in a 1.7 gigabyte cache. Then, UGNazi tweeted links to the cache using WHMCSs own Twitter account, which the attackers also hijacked.2

1 2

http://thenextweb.com/insider/2012/09/28/after-250000-theft-bitcoin-exchange-bitfloor-reopens/ http://www.esecurityplanet.com/hackers/whmcs-hacked.html

WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013

INTRODUCTION
Hackers share a common characteristic with water: It is both of their natures to follow the path of least resistance. Today the path of least resistance in the world of application security leads over SSL (Secure Sockets Layer), because theres nothing past the firewall to protect the website and all the information residing on it. This lack of protection beyond the firewall applies to websites of any size and/or the number of sites a company may be supporting. Heres a quick description of how hackers view their world and yours: Using almost any browser and then performing a few simple tricks, they can penetrate a website, access the credit card database, steal critical customer information and even a companys intranet data without being detected and without leaving any trace.

APPLICATION SECURITY FORCES VS. INTERNATIONAL HACKERS: AN ONGOING BATTLE OF GOOD VS. EVIL
On the positive side, network firewalls and patch management are now standard practices at most SMEs, so their overall network perimeters have become increasingly more secure. However, hackers have responded to this increased level of network security by focusing attacks on websites directly in order to stay one step ahead of the latest security techniques. Confirming this new method of attacking websites directly, the Gartner Group has reported that over 70% of cyber attacks are now occurring at the application layer. Even more alarming for SMEs, many that have only the most basic Internet presence, is that WhiteHat Security now finds serious vulnerabilities on 8 of every 10 websites it assesses. Many of the website vulnerabilities were currently discovering are well known, such as SQL Injection and Cross-Site Scripting. Less common methods of attack include Insufficient Authorization and Predictable Resource Location. Whats for certain is that regardless of how familiar or unfamiliar a particular vulnerability you may be facing is, they all pose serious security risks to almost every website you have.

TRADITIONAL SECURITY SOLUTIONS HAVE BEEN OVERTAKEN BY NEW METHODS OF ATTACK

When securing a network for SMEs, many security professionals still think immediately of firewalls, SSL, Intrusion Detection, and Anti-Virus (Figure 1.) as components that can provide a complete solution to almost any Web security problem. And while it is true that these components can improve certain aspects of security, their impact on protecting an actual website is only marginal. For instance, contrary to popular belief, deploying a network firewall will not prevent a hacker from penetrating an unprotected opening in a website. To improve the overall security of the Web, we must dispel this false assumption, as well as many other widely held misconceptions. In other words, with new attacks aimed specifically at SME websites being generated every day, new security solutions are absolutely necessary. However, before presenting WhiteHats recommendations for resolving the new security problems that every SME with an Internet presence (which is everyone) now faces, lets first consider five of the most common myths about website security:

WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013

http:// Telnet FTP F I R EWALL Users http(s) 80/443 POP

server.com/

webapp.cfm?id+999

Application Servers Web Servers F I R EWALL

Database

Figure 1. Traditional Security Systems

1. Websites that use SSL are secure. 2. Websites protected by a firewall are safe from hackers. 3. The vulnerability scanner did not report any website security issues, so our sites are secure. 4. Website security is a developer problem. 5. We conduct annual security assessments on our websites, so theyre secure. Now lets examine each of these myths and discover whether there are facts to support them.

MYTH NO. 1: SECURE SOCKET LAYER (SSL) WILL SECURE MY WEBSITE

Regardless of what youve heard, and regardless of the authority of the person making any claim about the effectiveness of SSL in providing application security, SSL cannot make any website secure. All that the SSL security lock symbol, located at the bottom of a Web browser, indicates is that the information sent to and from that website is encrypted. And nothing more than that: The site itself is encrypted. But and this is a big exception once a website receives and stores any information, SSL has absolutely no capability to protect that information. In fact, its well proven that websites using even the strongest SSL available have been hacked with the same frequency as those that have no SSL whatsoever. At WhiteHat we consistently find that SSL provides virtually no protection against hackers breaking into a website and stealing its confidential information. Again, its important to understand that the lock symbol on a websites home page only means: A simple SSL encryption protocol is present on the site. The website is the site it claims to be, i.e., that it is not an imposter site. The site is secure from eavesdropping, or any other unauthorized monitoring of conversations or transactions. If any exchange between a user and a website is intercepted, nothing whatsoever in that communication can be read. Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. Gene Spafford Ph.D. Professor of Computer Sciences, Purdue University

WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013

However, SSL has absolutely no impact on website security nor on the manner in which a users private information is safeguarded. Thats because private data stored on a website is at risk on the server level, and not in the connection between the user and the site.

MYTH NO. 2: FIREWALLS PROTECT AGAINST WEBSITE ATTACKS

While firewalls allow Web traffic to pass through to a website, they lack the ability to protect the site itself from malicious activity. For instance, the Web applications software that turns a typical SME website into an e-commerce bank, store, auction, credit union, message board, etc., also makes those websites vulnerable to attack regardless of whether a firewall is in place. Traditionally, network security has been based on the idea of letting the good guys in and keeping the bad guys out. This type of security is based on the use of firewall ACLs (Access Control Lists). Basically, a securely configured ACL denies all traffic entry to a network, except for a specified set of activities that are permitted. Web traffic and email are two typical examples of permitted activities. Given this setup, when a port scan of most websites is performed, it will reveal port 80 open for http traffic, and port 443 often open for SSL traffic. Generally speaking, the firewall blocks all other traffic. This is both sensible and practical because, after all, no one from the Internet needs to share your printer do they? However, after an ACL allows a visitor beyond the firewall and into the website, any security protections in place there are useless. Yes, the firewall has protected the printer, escorted email to its correct destination, and allowed similar essential tasks to be completed. But the firewall has also allowed just about anyone from anywhere in the world into the website. So while successfully doing its assigned task, the firewall has now made the website itself a new security risk. Thus, the dilemma becomes: How do you give everyone access to your websites, while making certain that they are legitimate visitors?

MYTH NO. 3: NETWORK VULNERABILITY SCANNERS PROTECT MY WEBSITE(S)

Beginning in the early 1990s with SATAN (Security Administrator Tool for Analyzing Networks), system administrators and security professionals have used vulnerability scanners to identify well-known network security flaws. The idea at that time was that once all of the reported security issues had been resolved on a particular website it should then be secure enough to go live on the Internet. However, vulnerability scanners fail to measure the security of any custom Web applications running on a Web server. This failure is as problematic today as it was 20 years ago, especially considering that todays Web applications are precisely the applications most likely to be the least secure! How Network Vulnerability Scanners Work and Fail to Work Typically, network vulnerability scanners identify security problems (Figure 2.) by transmitting specially crafted network traffic to target servers and then collecting the responses. These responses are then analyzed and compared to thousands of well-known security vulnerability signatures, also known as checks. The basic premise is that when a network scanner finds a match between a check and any response it has collected, the scanner reports the finding as a security issue. Recent studies suggest that the latest generation of network vulnerability scanners may now be achieving over 90% accuracy.

WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013

CUSTOM WE B APPLICAT ION S TH IR D -PARTY WE B APPLICATION S WE B S E RVE R

Flaws Business Logic abilities Technical Vulner Open Source / Commercial

Apache / Micro

soft IIS

OPE RATING SYSTE M S

x Windows / Linu

/ OS X

Figure 2. Vulnerability Stack

However, because there are no well-known security issues present in custom-written Web code, even these newest network scanners miss all the vulnerabilities present on the Web application layer. Statistically, there are security issues present on just about every website; but, these issues remain unidentified until someone looks specifically for them. Currently, there is no way to do a general or generic search for vulnerabilities in custom-written code. For the small percentage of organizations that run their websites using the same off-the-shelf software, finding or identifying security problems is less problematic. But with even most SMEs building their websites with custom code, what does this mean in regards to being secure from sophisticated attacks? Basically, any SME website requiring thorough security must consider these three facts: Fact No. 1 Todays average Web application is woefully insecure. Fact No. 2 No network vulnerability scanner can identify flaws other than those within its signature database. Fact No. 3 Yes, most off-the-shelf vulnerability scanners will give most websites an all clear or thumbs-up report. But, typically within moments, a Security Technician in WhiteHats Threat Research Center can directly query the back-end database and obtain customer credit card numbers from that supposedly vulnerability-free site. So much for the effectiveness of off-the-shelf scanners

MYTH NO. 4: WEBSITE VULNERABILITIES ARE THE DEVELOPERS FAULT

Its very easy to blame Web developers for website security failures, but the criticism is unfair. Many factors beyond the control of developers contribute to the insecurity of Web software. For example, a variety of providers often provide the source code, rather than all of it originating from an in-house development team. Or an SMEs own existing code might be intermingled with new code developed by an offshore vendor. Perhaps a patch from a commercial supplier has been applied to dependent system libraries. Or a developer may use either an example or open-source code, or both, directly from the Web.

WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013

Clearly, you can never know whether the entire code base for a software project is unique; or whether one of your websites will still be safe and secure after code from different sources are combined and begin to interact. Also, youre certainly aware that as deadlines approach and it becomes necessary to rush projects, take shortcuts, etc., that many errors are likely to occur in the code. As Your Enterprise Grows, So Do Your Security Risks Given how the first four Myths described above are so commonly believed to be true, lets now imagine that two developers at the same company independently create two separate, secure software modules. The modules are consistently secure, in and of themselves. However, when they interact, they create serious security issues. Now, imagine multiplying this situation by intermingling tens of thousands, or hundreds of thousands, or even millions of lines of code. The chances of a business logic security loophole not occurring are probably zero. Of course, realistically, software will always have bugs. In any type of computing, we experience this as a matter-of-fact problem every day. And with security vulnerabilities basically just a different type of bug, training your developers to write secure code can make a significant improvement in code quality. However, Training developers to write secure code does not necessarily mean the code they write will be secure. Thats because theres currently no way to prove absolutely that software is secure and bug-free. Essentially, everyone who develops code makes mistakes. And some of those mistakes will remain buried and undiscovered perhaps for years. And thats why business logic reviews must become a key component of any SMEs Web application security strategy.

MYTH NO. 5: ANNUAL WEBSITE VULNERABILITY ASSESSMENTS ARE ENOUGH

Todays SMEs commercial, corporate or organization websites are updated so often that the accuracy, and thus the value, of a week-old security report is questionable. A report from last year is virtually useless. But an annual security assessment is sometimes all that owners of SME business-based websites perform. And even then, only because such an assessment is often a legal requirement. Essentially, such long intervals between security assessments will eventually lead to long-term security problems. Therefore, for maximum security, WhiteHat recommends continuous assessments of Web applications throughout the year. This frequency is essential, because as you develop and introduce each new revision of a Web application on your websites, you are also increasing the likelihood of new security issues. How Holidays Are Special Though Not Necessarily in a Good Way In WhiteHats experience with SME e-commerce websites, holidays are especially vulnerable to website attacks. For example, Valentines Day, Christmas, Mothers and Fathers Days, and similar High Buying Times during the year are when new Web code is written specifically for each holiday sales promotions. Frequently, the new website features are prepared in a great hurry in order to meet calendar deadlines regardless of unresolved security issues when the online promotions must be launched. And while thats certainly preferable to publishing no holiday code and suffering significant financial losses, theres an even greater financial advantage when you maintain your website security finding and identifying flaws as they occur.

WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013

CONCLUSION
Whether youre in the process of developing your websites, or theyre currently active and serving customers, its essential that you evaluate your application security frequently. Following are some recommendations that we believe can help you get a good start on improving your website security: Business Managers: We recommend that security reviews be performed each time you update one of your websites. Thats because every new line of code is potentially a new security risk. Security Professionals: Use your website vulnerability scanners in combination with a manual testing process. This mechanical / engineer pairing ensures complete search for & discovery of vulnerabilities throughout even the largest sites. Naturally, we recommend you consider WhiteHat Sentinel. This approach also allows website operators to focus their attention on tackling the logic issues that must be resolved, which is where their skills are most critically needed. Software Developers: Never trust client-side input. It is the No. 1 cause of security vulnerabilities. Thats because client-side code can give hundreds of millions of website visitors who you dont know direct access to your software. So the general rule is: If you receive any code that you did not expect to receive, never use it.
RESOURCES: Web Application Security Consortium (WASC): A source of up-to-date web application security information: http:// www.webappsec.org/ The Center for Internet Security: A best practices resource for platform security guidelines and utilities

THE WHITEHAT SENTINEL SERVICE

Visibility Into Risk Across The Enterprise From A Single Platform Since its a SaaS-based platform, WhiteHat Sentinel is a completely turnkey solution. No other solution is as easy to deploy, easy to manage or as cost-effective. Or as comprehensive. Now, you can manage all your website security through a single, easy-to-use-platform. Expert Risk Management Services From The TRC: WhiteHats Threat Research Center (TRC) Verifies every vulnerability that Sentinel finds Performs business logic testing, which is impossible to automate Serves as an extension of your own website security team That means you can focus on your technology and business goals instead of website security headaches & hassles. A Higher Level of Accuracy & Speed Every service delivered by WhiteHat includes full vulnerability verification by the Threat Research Center (TRC), which verifies the accuracy of all vulnerabilities, virtually eliminating false positives and dramatically simplifying remediation. Whats more, the TRC also frequently operates as an extension of your security team. Theyre available to answer questions about a vulnerability, or to provide Proof-of-Concept guidance on how a vulnerability can be exploited, for instance. Companies large and small value the fact that the TRC is the place you can call to get a live person who can offer expert analysis and guidance on your website security environment.

WHITEPAPER: TOP FIVE MYTHS OF WEBSITE SECURITY A FOCUS ON SMALL-TO-MID-SIZED ENTERPRISES | JANUARY 2013

Predictable Costs Unlimited Assessments WhiteHat Sentinel provides subscription-based website security solutions designed to fit any budget. Whether you run your application assessments once a week or once a month, your costs are always the same. Full Integration Via Our Open XML API An open API combined with industry-leading bug tracking, Security Information and Event Management (SIEM), and Web Application Firewall (WAF) products, means you can share website security data across departments. PCI Compliance The patented methodology of WhiteHat Sentinel exceeds the strictest industry standards, as established by the PCI Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

Jeremiah Grossman is the Founder and Chief Technology Officer of WhiteHat Security, where he is responsible for Web security R&D and industry evangelism. Mr. Grossman has authored dozens of articles and whitepapers, credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. His work has been featured in the Wall Street Journal, NY Times, USA Today, Washington Post, NBC News, and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker at hundreds of international events including BlackHat Briefings, OWASP, RSA, ISSA, SANS, Microsofts Blue Hat, and many others. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorlds Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!, where he was responsible for performing security reviews on hundreds of the companys websites.

Founded in 2001, and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for Web security. The companys cloud technology platform and teams of expert security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale unmatched in the industry. WhiteHat Sentinel, the companys flagship product line, currently manages thousands of websites including sites of leading companies in the most regulated industries, such as top e-commerce, finance and healthcare organizations.

WhiteHat Security, Inc. | 3970 Freedom Circle | Santa Clara, CA 95054 408.343.8300 | www.whitehatsec.com Copyright 2013 WhiteHat Security, Inc. Product names or brands used in this publication are for identification purposes only and may be trademarks of their respective companies.

011013