Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, July 07, 2004

Cover Your Apps - 5 Security Myths

Like water, hackers take the path of least resistance. Today, this path leads over Secure Sockets Layer (SSL) to get past most corporate firewalls, where nothing exists between a hacker, a Web site and the information it holds. Using a browser and a few simple tricks, hackers can penetrate a Web site.

With firewalls and patch management now being standard practices, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the Web site itself. According to a Gartner analyst, more than 70 percent of cyberattacks occur at the application layer.
1. “The Web site uses SSL, so it’s secure.” 
SSL by itself does not secure a Web site.  SSL does not protect the information stored on the site once it arrives.
2. “A firewall protects the Web site, so it’s safe.” 
Firewalls allow traffic to pass through to a Web site but lack the ability to protect the site itself from malicious activity.
3. “The vulnerability scanner reported no security issues, so the web site is secure.”
Vulnerability scanners have been used since the early ‘90s to point out well-known network security flaws. However, they neglect the security of custom Web applications running on the Web server, which usually remain full of holes.  Up-to-date vulnerability scanners now achieve more than 90 percent vulnerability coverage on the average network—but they sparsely target the Web-application layer because there are no well-known security issues present in custom-written Web code.
4. “Web application security is a developer problem.”
Sure, developers are part of the problem, but many factors beyond their control contribute to software security.  For example, source code can originate from a variety of locations besides in-house. A company might have code developed by an offshore firm to intermingle with existing code.
5. “Security assessments are performed on the Web site every year, so it’s secure.”
The high rate of change in normal Web-site code rapidly decays the accuracy of even the most recent of security reports.  As each new revision of a Web application is developed and pushed, the potential for new security issues increases.

Posted on 07/07