A web application deployment by a fresh (new) client is likely to have a significant number of web woofapps security issues, with everything from exposed databases through to SQL injection level attacks being possible. Further testing over time indicates that a relationship with a security company for source security testing purposes results in a reduction of insecurities in the web applications.
“The bigger they are, the harder they fall”. There appears to be a defined trend towards the larger companies having a higher number of insecurities, particularly in the web application space. The root cause of this is unclear; however there is a relationship with outsourcing, and the need for a large organization to “secure everything”. This also applies to smaller companies; however the smaller companies tend to have significantly less infrastructure to worry about.
Certainly we have seen vulnerability management and analysis starting to be applied within organizations; however it is only really the network, operating system, and server levels that are being worked on by most companies. This is largely based around the notion that vulnerability scanning and remediation products and services are maturing in this space. Certainly while there are maturing tools in the application security testing space, they are still quite reactive, and will take a number of years to be both mature and mainstream.
From the vulnerability research and analysis that we have been performing, it is apparent that application development is still poor in terms of security. Not all of this can be blamed directly on the developers; with so much pressure to get product out the door, security is often given a back seat. We also need to focus on training our software developers to code securely but we are presently doing an abysmal job at it. A number of the application layer security vulnerabilities we are seeing in both off the shelf and open source systems are merely new instances already well known vulnerabilities. How long have we known about buffer overflows and SQL injection issues? So why are we still seeing them? For further discussion around some of this, see Brett Moore’s Ruxcon presentation on “same bug, different app”.
As a final note for this section, as an organisation we are really excellent at application testing and source code analysis, but really hate being the ones that break a system 2 days before it is scheduled to go live. The stats are there; design security in at early phases of the project, and the cost and impact of remediation is much less than trying to fix it when you are just about to roll it out, and dramatically cheaper than trying to fix it once in production. We are starting to see a trend towards compliance and security assurance climbing the systems development life cycle value chain. Long may it continue…!
So who tests vendor products (Common Off The Shelf) for web application security issues before they are rolled into production environments? Particularly where it has previously been deployed into other client sites? Really? How many of you review source code security in code developed by your outsourcer and / or development team?
We have seen the good and the bad in this space. In a number of cases we have tested and broken web applications that are in widespread use around the world, and have found them seriously lacking. This is not necessarily just a plug for how good we are; it is more an indictment on the lack of application security testing performed by other companies that have purchased and implemented these products. Really guys, some of the attacks and exploits were just plain basic…
The message really is to at least do a source code review where possible, or an application intrusion test where you can. COTS systems are not automatically secure simply as a result of how widely they are deployed. If you are concerned about the security of a product, get the developers to release the source code to you for assurance and testing. Based on our findings, at least 20-30% of web applications (either COTS provided or outsourced) have significant vulnerabilities.
What about your outsourced application development? Of course you do realize that you are accountable for poor software security and are performing source code audits appropriately when code is delivered? Seriously though, there is a real lack of due diligence in reviewing delivered systems at either the application or source code level, for which we believe the primary reason is a lack of applied accountability, and (up until recently) this stuff hasn’t necessarily been cheap to test. The other big issue that we find is a general lack of security testing standards, and security standards in application development.