Regardless of the target, motive or vector, Web attacks seek to exploit the connectivity, complexity and extensibility of the Internet. A lack of input validation, poor database configuration and the priority of new features over security enables hackers to access sensitive information.
The connectivity of the Internet is a blessing and a curse. HTTP is allowed through virtually every network firewall, opening up the network to external attackers. HTTP is also a very open protocol, which often integrates XML and SOAP inside to help facilitate Web service functions. The explosion of Web 2.0 architectures has shattered the traditional network boundaries, making it even more challenging to secure Web input and output.
Underscoring these issues is the fact that many internal databases are now becoming “Webified” and accessible to external users. Properly configured databases and SQL construction is critical. Developers that are not trained in secure coding put too much trust in user input. It is this lack of input validation that enables mass SQL Injection bots to successfully attack databases.
Finally, the extensibility of Web applications leads to greater vulnerabilities since the priority of features usually comes before security. All too often “scope creep” comes into play as new widgets, bells and whistles are added in the midst of the software development life cycle. These additions should require a security review, but this rarely happens. A common complaint heard by Web application security professionals is that implementing security to an application under development is like trying to change a tire on a car that is still moving.
No comments:
Post a Comment