Web Application Security
Whether you’re building a custom web application, or using one of the off-the-shelf/open source web applications for things like photos, monitoring, or any other PHP, ASP, Perl, AJAX or other language web app, on thing you MUST thing about is the security associated with it.
In this interview with Paul Herbka from South Seas Corporation (development and training company based out of Colorado), we go in depth in a discussion of web applications, security, and why it’s important for any individual or business to seriously consider what their policy is for the security associated with any web-based applications they may delpoy online.
Mr Herbka also goes into reviewing some great security platforms for protection of any web-based application.
You can listen to the interview, and/or read the transcript below, for free.
(Paul even offers you a discount if you mention this interview when you call him.)
Download the interview about what Email Security is in MP3 Format”
The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: This is Jonathan Kraft with Identity Theft Secrets and I’m here again today with Paul Herbka. Today we’re going to be talking about Web Application Security which doesn’t sound like that exciting of a topic, but it’s pretty amazing what can happen when you have a website or web application that gets hacked and all of your information for all of your customers is stolen and what do you do about that? So Paul’s going to talk with us a little about that today.
Paul Herbka is actually the President of The Information Systems Security Association in Denver. He’s the Vice President for South Seas Corporation which is headquartered in Littleton, Colorado and he’s also a Certified Identity Theft Risk Management Specialist and has spoken at numerous conferences and I know you just have a wealth of knowledge here. So thank you very much Paul for taking a few minutes with us today.
Paul (web application expert): Absolutely – I appreciate the time to be with you and just share some information. Really I’m hearing a lot of buzz about Web Application Security. It’s really become an age where if a company has a website, then they’re legitimized and people feel they’re a real company and “ok, I can do business with them, because they must be a real one if they have a website.”
Identity Theft Secrets: You know what’s funny about that – can I interject there real quick? I actually used to work at when it was US West/Dex, you know the yellow pages and I used to sell internet advertising back in 1999, I was a phone sales rep for internet advertising. I would call these businesses in like Pine Junction, Arizona and I’d say, “hey, we’d like to talk with you about getting your website set up on the internet.” And seriously, people would go, “inter- what?!” And it’s so funny to have gone from that in 1999 to today where having a website is being a “real business.” Anyway, I just thought I would interject that there.
Paul (web application expert): No, that is funny and it’s so true. It’s funny – I was just talking to another gentleman and he wants to setup a website; he’s like, “well, people keep asking me, what’s your website?” As if, as long as they have a website, then he’s legitimate. It used to be if you had a business card, you were legitimate and I think some people still do that. But now a lot of people printed up mass, different business cards – so now it’s “ok, do you also have a website? – then you must be real!” So it’s interesting to see that trend.
Well along with that trend is a lot of people are serving up applications and a lot of even government entities are going to where, “hey, now you can do everything online” — and it’s a mixed review, right? Some people say “great! Now I don’t have to leave home – I can just do that, I can do it online; I can it while I’m traveling.” Other people say “hey, this is scary, because now all of my information is “out there.” ”
The reality is a lot of different government entities are making it’s job applications, etc, are all being done over the web which now means, people are putting in their social security numbers, their date of birth, their address, their home numbers, etc., and all that information is traveling. So obviously, security becomes a big issue in that as people are becoming very aware of the cost-savings by having a website. And not only that, but the ability to maybe be in one town or one country, but now offer things to the world, right? We saw those commercials a while back where they say, “hey, you might be a small business here but now you can do business worldwide by having a website.” And you look at the people selling stuff on eBay and now all this stuff is out there.
Now one of the root issues is, is that stuff secure and is your web application secure? So there’s actually a coalition out there called OWASP – I don’t know if you’ve heard of them, but they have the OWASP “Top Ten” and what that is, is it’s a list of the Top Ten issues or vulnerabilities that they are seeing in web applications. And I won’t read through all of them, but the top ones are Cross Site Scripting, Injection Flaws, Malicious File Execution, Insecure Direct Ops References, etc. So basically, it’s the ability for me to hack that website remotely and now it doesn’t matter where I am, I can be in Russia, or China or wherever and hack into these websites and now I no longer have to worry about getting onto the network, right? I don’t have to worry about getting into the physical building – they’ve given me access out on the Worldwide Web and opened it up for me to get in!
The interesting part of that is when people are developing those applications, all the programmers went through school – but in school, they never worried about security. They were worried about efficiency, right? Write better code, more efficient code, less code, the more it can do with less lines -the more efficient it is; the faster it runs, happier everyone is. So they worried less about security, or even not at all about security, and just worried about the efficiency of the code. Well now, what they’re finding out is, this code is efficient, but it’s very easy to fake or to hack and take advantage of these vulnerabilities that just aren’t secure just because of the way it was written. Now when they look at these applications that have grown over the years, that are now thousands and thousands of lines of code, they either need to go back in and do code review or they need to find some other way to secure it.
So that’s really become a key issue in web application and web application security. In fact one of the biggest things now that people are looking at are web application firewalls that are purpose-built firewalls specifically just for web applications.
Identity Theft Secrets: Can you explain more what that means?
Paul (web application expert): Sure! So web application is really focused on all the different things like SQL Injection, Cross-Site Scripting and Cookie Poisoning. Just a simple example of that, is like if you’ve ever done an order online and you see there’s a large string at the top and then the last part is your order number? Well, if you go up and change that order number — and it’s not a secure website — then you’ll actually pull up someone else’s order. Now that’s interesting, but it’s now a security risk if that order had their name, information, credit card number, address, etc., not to mention their order, which they may be ordering something that they may not want the world to see – depending on who they are and what they’re buying or where they’re buying it from.
Identity Theft Secrets: And may also include their credit card information in that order.
Paul (web application expert): Absolutely! Credit card information, the CVV code off their credit card, any of that stuff. And depending on again what they’re doing it may also include – let’s say you’re doing a job application and you change that code, now you may be seeing someone else’s job application; now it also has their social security number, their date of birth, their home address. As far as an identity thief, they’re going, “hey, that’s great! Game over! I’ve got all the information I need. This is fun.” Of course the more sophisticated ones are saying, that’s only the one-sies and two-sies; I’m going to go after the thousands and the tens of thousands or millions. For the hacker that wants to setup a script to just keep doing that – running through all the orders, that’s an easy way to glean information without having to do much hacking.
Identity Theft Secrets: Right, the machine is doing all the hacking for them at that point. Gleaning some random order numbers over and over and over and over and over until it finds one and then it’s grabbing all that information and then putting it into an Excel sheet or something and somebody can open that from wherever.
Paul (web application expert): Exactly and so we’re finding that, more and more, people are going “ohhh, ok, we didn’t realize!” They’re starting to realize the implications of “yes, it was nice that you put this stuff out there; but now, what are the issues?”
So just as an example of what a web application firewall does is, if there are Web worms – so worms written specifically for the web. A regular firewall only has limited access to stopping that. But a web application firewall is built specifically to. Another example would be web vulnerabilities like Cross-Site Scripting, etc. A web application firewall knows about those — a regular firewall has no clue. So that’s something that’s there. The other thing would be directory files or directory structures, brute force attacks, which is where they’re basically just guessing passwords or guessing random numbers or guessing strings. Changing the cookies — most people are familiar with what a cookie is on a website, but a cookie is basically something that says, “I’ve initiated, I’ve authenticated this transaction; whether it’s a purchase or an inquiry or whatever for maybe my bank statements or maybe my access to my records, for medical or whatever.” “I’ve done the authentication,” so then it assigns a cookie to that session or to me so that when I do another request, it says, “oh, ok. I know who you are and I remember who you are.” So if I can find a way to adjust that cookie or tamper with that cookie, called Cookie Poisoning, then I can now take that and get other people’s information the same way. So that’s one example. Brute force attacks are another example where a regular firewall doesn’t know how to handle that; but a web application firewall is built specifically to help with that. So it doesn’t matter if it’s SQL or OS Injection, Cookie Poisoning, Hidden File Manipulation, Parameter Tampering and the list goes on. But there’s a bunch of things — SSL Flooding, a lot of people say, “well, I’m secure, I’m ok, no one can hack in because I’m using SSL VPN or I’m using SSL sessions, HTTPS — so I’m good.” Well, you can do something called SSL Flooding and again a regular firewall isn’t going to know what to do about that; whereas a web application firewall can.
One of the best web application firewalls out there is an F5 Product and they call it ASM Application Security Manager. But it’s basically specifically built to help with that and their whole company policy is to deliver applications that make them secure, but make them available all the time. They also do “low balancing” to make sure that it’s got high availability.
So when we talk about web application security, really the two options are either, review all of your code and make sure it’s secure which is kind of a nebulous thing to start off with anyway; not to mention a painstaking, time …
Identity Theft Secrets: No kidding, hunting through lines of code trying to find vulnerabilities.
Paul (web application expert): Exactly and thousands of thousands lines of code which now are causing other things. You need to know not only that, but you need to follow the whole thought process of what’s being passed, what should be passed, what are the legal ranges for the items being passed – do we have a way of checking for those legal ranges, testing if they are or aren’t legal, etc. And then what happens, how do we handle the exceptions when it’s a typo versus it’s a hacker trying to get in? So we don’t want to cut all sessions that don’t have the right information, but we don’t want to allow them either. So there’s different issues there.
So those are the types of issues that people are facing and I think it’s interesting that there are some people that say, “oh, well I’m not worried about that.” Well, if that application is tied to a database or tied to your network which now has a database that has any information, again, people’s names, social security numbers, their identity, you should be worried about securing that – otherwise you’re going to have a breach and you’re going to be in the newspaper, you’re going to be on the “bad list” of companies to deal with because you don’t secure their information correctly.
Identity Theft Secrets: Let’s say I’m either government institution or a large business. Or even — I work a lot with internet marketing people – those are some of the people I know just selling odds and ends of little products online. But they’re storing credit card information, at least temporarily. If any of those people have issues, what are some good, just everyday resources for people to find details about what they need to do to secure web applications?
Paul (web application expert): Wow, great question! One is, I would say definitely; find yourself a good security consultant, right? Not just a computer reseller, firewall reseller, but find a security consulting company that focuses on that and there’s several things they should do. One is they should be able to do assessments and penetration tests and web assessments to go and find out what are the issues on your website? Is it vulnerable to all those things we just discussed? And then two is, after they do that, they should give you a detailed report that not only says, “here are all the issues we found,” but ranks them in the order of priority – here are the issues that are most important; like a high-red – oops, you’ve got to get this fixed right away. That way you know what your priority list is because no one has unlimited time, unlimited resources and unlimited money to go and just fix all them. You want to figure out what are the big holes that are serious violations or vulnerabilities that I need to plug up now!
Quite honestly, bang for the buck – I would recommend a web application firewall because that’s going to stop – with all of your applications, the old ones, new ones, etc., long-term, the whole OWASP mentality is we’ll learn how to program better and code better and make that a part of your whole development lifecycle and that’s great. It’s a great goal, but it’s not going to get there quick enough. It’s kind of like saying, ok, our car should be energy-efficient. Well that’s not just going to work overnight – it’s a good goal, but if you’re driving an 8-cylinder SUV, it’s not going to become energy-efficient overnight. So those are things you can add to that so that’s it’s protected and it’s secure to give you time to fix the process behind and work with that.
The other thing is it’s constantly getting updated as well from that vendor so that as new vulnerabilities are found, it’s keeping up with that and you don’t have to worry about it. Because people will just say, “well I’ll just work it into my development lifecycle.” Even if all their coders were of that same mentality — which just being real — they’re not, is what about when a new thing comes out are you really going to stop production and coding to go tell everyone about this new thing – here you have to worry about coding it this way or are you just going to say, “well, we’ll fix it up in the next version.” If that’s the case, you’re still open to vulnerabilities and you’re open to being breached and then you again have that high expense of being reactive to a breach; versus proactive on the front-end.
Identity Theft Secrets: Sure and what you’ve said before is that it’s always – and I think “always” and “never” are two words you should always remember never to use – but, you’ve said it’s always cheaper to be proactive then to deal with it on the back-end.
Paul (web application expert): Absolutely, absolutely! In fact, I want to say it’s under 10% — normally the cost for breaches is usually under 10% to deal with it proactively before it happens versus after the breach occurred because you’ve got all these fines and notifications and fees and things you’ve got to do. Not to mention all the hidden costs; customers don’t trust you now so you lose business, the goodwill, things you’re trying to do then to overcome that goodwill. So yes, if you look at the overall costs, always, always, always – which you should never use – (laughs) it’s always more effective to be preventative – at least cost-effective to be preventative – unless you’re just one of those gamblers who says, “I’m going to gamble and hope I don’t have a breach before I go out of business.” But hopefully most people are deciding they want to be in business a long time and therefore that’s not a good policy because the chance of time is against you.
Identity Theft Secrets: Sure. If I’m looking for a solution, what types of solutions are available?
Paul (web application expert): Wow, there’s low-end web application firewalls, there’s “do-everything-in-one-box” type of UTM, Unified Thread Management box and the good thing about that is that they do everything. The bad news about them is that they are a “Jack-of-all-Trades, Master of None.” So, they’re going to be ok at just about everything, but they’re not going to be great at anything. So I really recommend getting a purpose-built box specifically for something as high-volume, high-traffic as a web application where you need that delivery not to be slowed down, but you need it to be looking at everything and securing everything. So I would look at things like that; I would look at again, the F5 product which is really recommended which has great success. It works well, you plus it in and it works; it’s what makes it a great solution and they are constantly increasing it and developing it to make sure it’s always secure and it’s always working to help you.
Then also look at the Data leakage-type products, like the Vontu product from Symantec that really helps you do that. Another thing that people don’t realize when they’re looking at the costs are just all the different fines. In fact, even the payment card industry has figured out this web application stuff is serious. In their new version, PCI DSS, Version 6.6, they’ve said, “you’ve got to have” it’s no longer it’s “nice to have” – they’re saying now “you’ve got to have either code review, which means going through all those lines of code or you have to have a web application firewall.” So they’ve now admitted to themselves and to their community, hey, if you’re taking credit cards, if you’re storing credit cards, no matter how temporary that might be, you need to have a web application firewall or you need to show improved and do the constant code reviews to make sure your code is always secure.
Of the two, the least expensive is going to be the web application firewall. Unless again, you only have one program and it’s only a couple hundred lines long, then yes, do a code review. But if it’s hundreds of thousands or millions of lines of code, a web application firewall is going to be less expensive and it’s going to be easier to implement.
Identity Theft Secrets: You just mentioned too that there was some law or some rule that required people to have things set up. What other kinds of compliance changes or government issues – is the government getting involved as they do in lots of different arenas, so that ideally they’ll protect and help people; but what kinds of compliance issues are people facing now when it comes to web application security outside of the one you just mentioned?
Paul (web application expert): I’m glad you asked that – in fact, it reminds me of a local news story here in Denver where the District Attorney for Denver has just published and said to all the different public websites, so any of the cities or counties or what not, “hey, this is serious and you should not be having people’s social security number or private information out on public websites.” And while that was a general rule that everyone thought they were following, everyone forgot and again it becomes more of the business process in the paper world that then got changed into the web world and people forgot how that became a security risk.
An example is now, public records for a house; who purchased the house and who’s the lien against the house. Wedding information, all that stuff is now filed online and you can look it up online. Well because of that now, people worldwide have access to that, can go in there and get that and they’re saying, “hey, we’ve got to take that off.” If you’ve got a lien record, you’re supposed to be taking the social security numbers off, you’re supposed to be taking the private information off. So now that’s something that’s been kind of declared as an internal or external rule, depending on how you look at it, that says, “hey, we need to be doing this!”
Again, it’s not something where people were doing maliciously posting information; they were just taking what they did in the paper world and automating it to the web world to make things easier for people. But in our “lust” for making things easier, we forgot about security and now we’ve opened people up to the possibility of having identity thieves get their information and use it maliciously.
Identity Theft Secrets: So as far as compliance issues, there’s nothing specific necessarily that requires them to be compliant?
Paul (web application expert): Well, that’s where it’s interesting. There was no specific solution mentioned, but it basically said, “go through all of your web information, whether it’s millions or thousands of pages of stuff you can get off the web and make sure that none of it contains social security numbers, credit card numbers, personal information.
So now there’s a huge market out there for programs that can go out and search for that stuff automatically, right? Using the technology to go through and scan your whole farm of web pages and say, ok, where does that apply? And then, either wipe it clean or take those off and find a way to keep that information off of it – and that’s important. So now there are programs and one of the things that the F5 product can do and that people are using, is the ability of the F5 product to say, “oopss, you’re sending out this webpage, but it contains social security numbers. I should change that so that now it’s generic, right? And I just put X’s instead of the actual number.” So that people see, yes, there is a social security number on this file, but they don’t know what it is. So that’s something that people are doing to automate that. Quite honestly, the payment card industry has said, if you aren’t doing that, you’re in trouble. Now the Denver District Attorney has said, yes, I want all the state’s entities to do that; so it’s becoming more and more and I don’t think that’s a rare thing, I think you’re going to see that more and more and more whether you’re a small business or government entity falling under the SEC or falling under PCI or SOX or HIPAA. Now all the members saying yes, we need to start securing our data because they’re realizing that Identity Theft is a big issue.
So where can you go? Again I would go to … by all means, you can get in touch with us and we can help you with a solution; we can help figure out what’s the best solution. Is it easier to scan through your data, re-clean up your data or just filter it on the way out and change it all out? Or just not allow it? You know there are a lot of different solutions there, but I would say, start working on that and making it a priority. Otherwise you’ll end up paying fines or breach costs, one way or another.
Identity Theft Secrets: I know that South Seas Corp offers people a lot of solutions, as we’ve talked about before, for dealing with web application security and a whole other variety of things. If people want to get in touch with you, how do they do that?
Paul (web application expert): Well, the best way is either email or phone. Our 800 number is 1-866-794-1655. Again, toll-free is 1-866-794-1655 or they can call me directly at 303-798-7588. Or they can email me, my email address is pherbka@SouthSeasCorp.com.
One thing I’d like to offer is that anyone who mentions that they heard it here, we will go ahead and give them a discount and we will give them a 2% discount on any web application firewall they buy from us or any services specifically for security by mentioning this ad. As long as two things: one is they are not an already pre-existing customer and it’s on something they’ve already been quoted or already bought and two is that it’s not on a government contract, because on government contracts I can’t adjust the pricing that way.
Identity Theft Secrets: Well thank you very much for taking a few minutes with us to talk about web application security. I hope people are more informed about – if they have any sort of web application, they need to be looking at creating some security specifically around that web application.
I appreciate you taking a few minutes to share your expertise with us today.
Paul (web application expert): Absolutely and one other thing I forgot to mention is another resource they may want to go look at is the OWASP Top Ten. If you just Google OWASP Top Ten, it will give you the Top Ten List and you can drill down in that – here’s all the things and here’s what it means, here’s how to do it, here’s how to do the code review, here’s some of the products that work against it. So that’s a good resource as well — so I neglected to mention that earlier. If you’re in a web application environment, that’s hopefully something you already know about but if not, that definitely would be a good place to go to.
There are also local chapters of the OWASP that have different meetings. I know there’s a Denver Chapter, there’s a Boulder Chapter – they’re nationwide. I think they’re worldwide, but they’re at least nationwide and so you may want to look at if there’s a OWASP Chapter in your area and get plugged into that because that’s a good way to network with other peers that are concerned about security for web applications as well.
Identity Theft Secrets: Awesome! Well, thanks so much for taking the time with us today and we’ll look forward to talking with you again soon!
Paul (web application expert): Sounds good, thanks so much for having me!