Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Five Web Application Security Myths

Many Companies fail to Make the First Step Towards Security because of Misconceptions and Security Myths

Many Companies fail to Make the First Step Towards Security because of Misconceptions and Security Myths

Protecting your website from hackers is tough. The battle between the good guys (you) and the bad guys (the hackers) is an ever escalating war where a misstep on your part may mean a breached site. But, many companies fail to even make the first step towards security because of misconceptions and security myths, either believing simple security protections are sufficient or thinking they really do not have to worry about hackers. The following notes cover some web security myths.

Application Security1. SSL is The Panacea of All Security

2. Security Through Obscurity

3. Not Worth The Trouble – Nothing to Steal

4. The Totally Secure Website

5. Hackers Are Just Geniuses Gone Bad

1. SSL is The Panacea of All Security

Secure Sockets Layer (SSL) is probably the best know and least understood web security measure in our protection arsenal. As you may know, SSL is a means of encrypting data passing between your browser and web server. When you are conducting private transactions (i.e., financial, medical), your transmitted data does need to be encrypted, or it can be easily read by anyone who ‘sniffs’ your information along the way.

Advertisement. Scroll to continue reading.

While an argument can be made that SSL (encrypted data) was the single most important technology piece in the growth of the internet as the transactional system is today; one cannot extend that premise to say it is the only technology piece that is required.

The myth behind SSL is the prevalent belief that SSL is all there is for web security – keep the bad guys from looking at my transmitted data and I’m OK. The thinking goes to say, as long as the bad guys cannot read data being sent between your browser and web server, all is safe. Unfortunately, this is like saying your home privacy is safe as long as no one can tap into your telephone line. What about your door locks, cleaning people who might spend every Tuesday at your home (perhaps alone), or the credit card information you put to the curb every month?

So, yes, SSL is essential to Web security, but is only a small part of the total picture. SSL will not solve your security concerns.

2. Security through Obscurity

Many people believe their website is such a small fish in the Internet ocean that no respectable hacker would lower himself to even take a look. The problem is that the hackers, usually script kiddies running automated tools, are looking at everyone’s websites – if for no other reason than it is simply easy to do. Your site, whether it is Bank of America or just a site displaying your collection of Beanie Babies, is always being probed by hackers using scripts.

If your site has any vulnerabilities, and it probably does, automated tools will find and flag your site, setting you up for a live person visit it the near future. Who knows, maybe your website really doesn’t have any value, or maybe the underlying SQL database on your server is fertile ground for identity theft information. It’s fair game, and as far as automated scripts are concerned, just as valuable as your online banking site.

But whatever you do, do not believe the size of the ocean makes a difference to the hackers. The sharks have you covered, however small you might be.

3. Not Worth The Trouble – There’s Nothing to Steal

There’s a lot to be said about my kid’s ‘98 Nissan Maxima. It runs great and gets her around. Perhaps even better is the fact that no one is ever going to go out of their way to steal it – there is just not a lot of demand for the old Maxima on the black market.

So, like your fluffy company brochure site, you have to ask yourself whether it’s worth the trouble to lock it up. But, thinking about the Nissan again; would you leave the keys in it (nope, joy ride bait) or leave your laptop on the backseat (the thieves will go after your computer, the Nissan’s window will just be collateral damage) just because no one wants to steal the car?

The point being, of course, is that it’s not the car (or your web site) that’s in danger; it’s all the secondary pieces that will cause you the pain.

The most obvious peripheral risk surrounding your site is the database under the site (all webs sites require a database to store the website software) which might contain much more information than just pictures of your kids. Perhaps that same database contains your financial information, or personal data that might be used for identify theft. In either case, if your site does get hacked, you may be giving up a lot more than just the website source code.

The far more subtle risk to any web site hack is the undetected changes the hacker might make to your site without your knowledge. Many sites, even the ones that appear to have little commercial value, run the risk of being turned into a malware distribution point – anyone who visits your site may end up living their PC life as an unknowing zombie.

Or your server may be turned into Command and Control point of a botnet army.

Your website and server may seem to be of little value, except in the wrong hands, in which case it may be extremely valuable to cyber criminals.

4. The Totally Secure Website

It’s a given that, however much money, time and technology you have, your website will never be 100% secure. The brutal fact is that in a world of good and bad guys duking it out in cyber space, your website will eventually fall prey in the endless one-upmanship battles.

Hackers are constantly looking for and discovering security flaws in systems that were once thought secure. The time between these discoveries and the required patch software will make you vulnerable for a successful attack. Make no mistake, hackers have already probed your systems, characterized your software and are poised to take advantage of any zero-day vulnerabilities that might open you up.

Keep in mind the fact that Internet giants like Epsilon, Lockheed and the DOW Stock Exchange have been successfully breached – it is an adage in the security world that if someone wants your data bad enough, they will eventually get it.

But, even though total website security is a myth don’t think you shouldn’t try. Hacker skills range from inept script kiddies running downloaded programs to teams of well funded hackers supported by foreign nations. Your goal should be to get yourself as far up the food chain as possible by making your website as secure as possible – the script kiddies will bounce off, and chances are China is spending its time stealing state secrets.

5. Hackers Are Just Geniuses Gone Bad

Who can watch NCIS and not believe that hackers (white and black hats) are not absolute geniuses with the ability to hack into any government website in just a matter of minutes, perhaps an hour if it is a foreign government?

While there may be a few of these super hackers around, it turns out the majority of the folks stalking the Internet are just script kiddies using easily downloaded tools to automatically probe and attack websites. The Xbox’er turned hacker will view your site as yet another computer game with bragging rights when he grabs your data or turns your site into a subtle weapon.

So, if you’re betting those hacker geniuses are preoccupied with saving (or destroying) the world you may be right. Just keep in mind there are hoards of average hackers, who are neither geniuses who are spending their time probing the entirety of the Internet. Your site and whatever else you have hanging off the Internet will be checked out many times a week.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.