Security Experts:

Five Web Application Security Myths

Many Companies fail to Make the First Step Towards Security because of Misconceptions and Security Myths

Protecting your website from hackers is tough. The battle between the good guys (you) and the bad guys (the hackers) is an ever escalating war where a misstep on your part may mean a breached site. But, many companies fail to even make the first step towards security because of misconceptions and security myths, either believing simple security protections are sufficient or thinking they really do not have to worry about hackers. The following notes cover some web security myths.

Application Security1. SSL is The Panacea of All Security

2. Security Through Obscurity

3. Not Worth The Trouble – Nothing to Steal

4. The Totally Secure Website

5. Hackers Are Just Geniuses Gone Bad

1. SSL is The Panacea of All Security

Secure Sockets Layer (SSL) is probably the best know and least understood web security measure in our protection arsenal. As you may know, SSL is a means of encrypting data passing between your browser and web server. When you are conducting private transactions (i.e., financial, medical), your transmitted data does need to be encrypted, or it can be easily read by anyone who ‘sniffs’ your information along the way.

While an argument can be made that SSL (encrypted data) was the single most important technology piece in the growth of the internet as the transactional system is today; one cannot extend that premise to say it is the only technology piece that is required.

The myth behind SSL is the prevalent belief that SSL is all there is for web security – keep the bad guys from looking at my transmitted data and I’m OK. The thinking goes to say, as long as the bad guys cannot read data being sent between your browser and web server, all is safe. Unfortunately, this is like saying your home privacy is safe as long as no one can tap into your telephone line. What about your door locks, cleaning people who might spend every Tuesday at your home (perhaps alone), or the credit card information you put to the curb every month?

So, yes, SSL is essential to Web security, but is only a small part of the total picture. SSL will not solve your security concerns.

2. Security through Obscurity

Many people believe their website is such a small fish in the Internet ocean that no respectable hacker would lower himself to even take a look. The problem is that the hackers, usually script kiddies running automated tools, are looking at everyone’s websites – if for no other reason than it is simply easy to do. Your site, whether it is Bank of America or just a site displaying your collection of Beanie Babies, is always being probed by hackers using scripts.

If your site has any vulnerabilities, and it probably does, automated tools will find and flag your site, setting you up for a live person visit it the near future. Who knows, maybe your website really doesn’t have any value, or maybe the underlying SQL database on your server is fertile ground for identity theft information. It’s fair game, and as far as automated scripts are concerned, just as valuable as your online banking site.

But whatever you do, do not believe the size of the ocean makes a difference to the hackers. The sharks have you covered, however small you might be.

3. Not Worth The Trouble – There’s Nothing to Steal

There’s a lot to be said about my kid’s ‘98 Nissan Maxima. It runs great and gets her around. Perhaps even better is the fact that no one is ever going to go out of their way to steal it – there is just not a lot of demand for the old Maxima on the black market.

So, like your fluffy company brochure site, you have to ask yourself whether it’s worth the trouble to lock it up. But, thinking about the Nissan again; would you leave the keys in it (nope, joy ride bait) or leave your laptop on the backseat (the thieves will go after your computer, the Nissan’s window will just be collateral damage) just because no one wants to steal the car?

The point being, of course, is that it’s not the car (or your web site) that’s in danger; it’s all the secondary pieces that will cause you the pain.

The most obvious peripheral risk surrounding your site is the database under the site (all webs sites require a database to store the website software) which might contain much more information than just pictures of your kids. Perhaps that same database contains your financial information, or personal data that might be used for identify theft. In either case, if your site does get hacked, you may be giving up a lot more than just the website source code.

The far more subtle risk to any web site hack is the undetected changes the hacker might make to your site without your knowledge. Many sites, even the ones that appear to have little commercial value, run the risk of being turned into a malware distribution point – anyone who visits your site may end up living their PC life as an unknowing zombie.

Or your server may be turned into Command and Control point of a botnet army.

Your website and server may seem to be of little value, except in the wrong hands, in which case it may be extremely valuable to cyber criminals.

4. The Totally Secure Website

It’s a given that, however much money, time and technology you have, your website will never be 100% secure. The brutal fact is that in a world of good and bad guys duking it out in cyber space, your website will eventually fall prey in the endless one-upmanship battles.

Hackers are constantly looking for and discovering security flaws in systems that were once thought secure. The time between these discoveries and the required patch software will make you vulnerable for a successful attack. Make no mistake, hackers have already probed your systems, characterized your software and are poised to take advantage of any zero-day vulnerabilities that might open you up.

Keep in mind the fact that Internet giants like Epsilon, Lockheed and the DOW Stock Exchange have been successfully breached – it is an adage in the security world that if someone wants your data bad enough, they will eventually get it.

But, even though total website security is a myth don’t think you shouldn’t try. Hacker skills range from inept script kiddies running downloaded programs to teams of well funded hackers supported by foreign nations. Your goal should be to get yourself as far up the food chain as possible by making your website as secure as possible – the script kiddies will bounce off, and chances are China is spending its time stealing state secrets.

5. Hackers Are Just Geniuses Gone Bad

Who can watch NCIS and not believe that hackers (white and black hats) are not absolute geniuses with the ability to hack into any government website in just a matter of minutes, perhaps an hour if it is a foreign government?

While there may be a few of these super hackers around, it turns out the majority of the folks stalking the Internet are just script kiddies using easily downloaded tools to automatically probe and attack websites. The Xbox’er turned hacker will view your site as yet another computer game with bragging rights when he grabs your data or turns your site into a subtle weapon.

So, if you’re betting those hacker geniuses are preoccupied with saving (or destroying) the world you may be right. Just keep in mind there are hoards of average hackers, who are neither geniuses who are spending their time probing the entirety of the Internet. Your site and whatever else you have hanging off the Internet will be checked out many times a week.

view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.