Chief Security Officer White Paper Series for SPI Dynamics CSO White Paper Series Layer Seven: The Future of Vulnerabilities Featuring SPI Dynamics WebInspectTM By Jim Reavis September, 2003 Copyright 2003, Reavis Consulting Group 1 Chief Security Officer White Paper Series for SPI Dynamics Table of Contents Introduction.....................................................................................................................2 The Future of Security Vulnerabilities.............................................................................2 Vulnerability Assessment ­ The Proactive Approach to Security.....................................5 Web System Application Assessment ­ the Cure for Layer 7 Ills.....................................6 Introduction to WebInspect by SPI Dynamics..................................................................6 Summary.........................................................................................................................7 References.......................................................................................................................8 Introduction This paper provides a survey of the different types of computer vulnerabilities and explains why Layer 7 or application vulnerabilities are the emerging trend for hacker exploits. The paper further explains how SPI Dynamics web application assessment software utilizes new technology that makes it superior to traditional vulnerability assessment tools, and explores how this technology can solve the Layer 7 vulnerability problem. The reader will learn: How the nature of computer system vulnerabilities are changing The definition of Layer 7 or application vulnerabilities How the web browser is the most dangerous hacking tool The importance of proactive security measures The key factors for successful web vulnerability assessment An introduction to SPI Dynamics' WebInspect Enterprise Edition How WebInspect can provide protection against Layer 7 vulnerabilities The Future of Security Vulnerabilities Security and the protection of digital assets is a key enabler of our information-driven economy. The information security industry has evolved from a niche corner of Information Technology to something that pervades the industry itself. Despite this increased attention to security, the complexity of our information systems and our reliance upon them creates a fragility that adds up to risk to organizations of all sizes. Vulnerabilities are inherent in nearly everything, and computer systems are no exception. Software vulnerabilities have many different origins. In some cases, a coding standard can be poorly written, causing all software written to these specifications to be faulty. Bugs are an inevitable reality of the software development process, and some of these bugs can create serious vulnerabilities. Additional vulnerabilities are introduced when a system is installed, configured and customized for individual use. Basically, any stage Copyright 2003, Reavis Consulting Group 2 Chief Security Officer White Paper Series for SPI Dynamics during the software development and usage lifecycles creates risk for the introduction of vulnerabilities. Some vulnerabilities are innocuous and some can be critical in nature. Identifying the key risks and their solutions is one of the most critical aspects of information security best practices. Research has historically shown that successful malicious penetrations upon computer systems and well known worms and viruses have been based upon known vulnerabilities. SQL Slammer was based upon a SQL vulnerability known six months in advance. The recent MSBlaster worm was based upon a highly publicized vulnerability, MS03-026. We would describe these as static, network layer vulnerabilities. They are known quantities, they are uniform to systems with a specific software revision level, and often installed with default, insecure settings. While exploitation of static vulnerabilities has been the history of computer security, trends point to a greater portion of future threats being based upon dynamic application layer vulnerabilities. We define application layer vulnerabilities as: "Weaknesses created by the integration of one or more application components, including in-house custom programming, operating systems, databases, web pages and middleware. These vulnerabilities are potentially unique to each integrated system and can be added and removed dynamically with each change to any system component." We have already seen many instances of successful exploitation of application layer vulnerabilities by the hacker community, and in fact many of the more famous breaches of web sites that allowed sensitive information to be stolen have used this method of entry. We believe one early indicator of the rise in application vulnerabilities is an analysis of the statistical trends Vulnerabilities vs Incidents reported by CERT, out of Carnegie 152,000 Mellon. While the rate in increase in security incidents has historically tracked Incidents 4,000 closely with the rate Vulnerabilities of vendor-reported vulnerabilities, in 2003 for the first time we are seeing the Source: CERT growth of security 2000 2001 2002 2003 (Est) incidents far outpacing reported Copyright 2003, Reavis Consulting Group 3 Chief Security Officer White Paper Series for SPI Dynamics vulnerabilities. We believe that unreported application vulnerabilities account for a significant portion of this discrepancy, and believe that this type of attack will comprise an ever increasing portion of the overall threat profile in organizations of all types. Vendor efforts to reduce vulnerabilities Software vendors are taking secure software development much more seriously than in previous years and are building more security into the architecture, are training developers in secure coding practices and are beginning to perform more rigorous security QA testing. Future software Leaky Online Stores: the Peril of Web development models are predicted to be Application Vulnerabilities more focused on assembling and integrating components than line by line coding, A recent headline from SecurityFocus provides a reducing some of the human error caused by cautionary tale of the risks of web application individual programmers. The nascent security and the value of SPI Dynamics' WebInspect. software patch and configuration management markets are making steady In June 2003, Pet Supply retailer PetCo was found to progress in automating the deployment of have a web application vulnerability known as SQL the latest fixes and policies to reduce the Injection, which left as many as a half million threat from static known vulnerabilities. credit card numbers exposed to any web browser Developing secure software has run counter to the business drivers that cause vendors to release products too quickly. This will always be a source of tension, but security is slowly gaining the upper hand for several reasons: governments are increasingly demanding that software pass rigorous security certifications such as Common Criteria in order to be used in sensitive government locations. Many people within government, consumer advocacy and legal groups are pushing to hold vendors liable for damages arising from insecure software. Most importantly, vendors are beginning to see that providing secure software will in the long term improve customer satisfaction, decrease support costs and improve their market position. that constructed a special URL request. PetCo was able to close the hole before any data was compromised after being notified of the vulnerability by 20 year old programmer Jeremiah Jacks. According to the news report, Jacks used Google to discover PetCo web pages accepting user input, then tested SQL database queries on the pages. "It took me less than a minute to find a web page that was vulnerable", the article quoted Jacks as saying. The article went on to say that the issue "... underscores the difficulty of securing e-commerce storefronts, which often run on code that's been customized, or written from scratch". Jacks said, "It's not [a problem] that's waiting for Microsoft to issue a patch". WebInspect automatically searches an entire web site for pages accepting user input and identifies any of these pages which allow invalid data, preventing this type of compromise from ever occurring. Commercial software will never be perfect, but we are seeing tangible improvements in hardening code. This practice will not cause hackers to give up. Instead, they will find indirect methods of attack ­ such as exploiting application vulnerabilities ­ to be simpler and more fruitful. Copyright 2003, Reavis Consulting Group 4 Chief Security Officer White Paper Series for SPI Dynamics Reduced requirements for web hacking tools Traditionally, successful hacking requires both intelligence and access to a toolkit of hacking software. Web application vulnerabilities can be exploited by the web browser itself. By manipulating the URL command line, hackers can break into web servers and web applications via application vulnerabilities and access backend databases, which may contain sensitive and critical business information such as customer lists, credit card numbers and other personally identifiable information. Even inexperienced hackers have the potential to exploit a web application or server by following an error message caused by faulty application logic. With web application vulnerabilities, every desktop PC, Internet kiosk and PDA in the world has the perfect hacking tool installed by default! In summary, the increased vendor focus on improving software quality, innovations in systems management to maintain secure configurations, and the pervasive availability of web hacking tools are changing the face of computer vulnerabilities. These major trends are converging to make Layer 7, or application vulnerabilities, the path of least resistance for malicious activity. It is not enough to keep up with vendor updates and periodically audit systems. To counter the Layer 7 threat, organizations must place an emphasis on the aggregate security provided by integrated systems, and pay attention to when and where they customize systems to solve their business problems. This is particularly true for the most pervasive application of all, the World Wide Web. Vulnerability Assessment ­ The Proactive Approach to Security Knowing that both static and dynamic vulnerabilities are a permanent part of the security landscape, we must make decisions about how we are going to respond to these threats. Best practices hold that a layered defense in-depth approach to mitigate security threats is ideal. Risk management methodologies are then used to determine the business cost of security threats in order to help Chief Security Officers make decisions about where to deploy scarce resources and make investments in order to optimize this defense. Information security has historically been viewed as operational overhead, and Return on Investment (ROI) models are immature. However, the emerging viewpoint is that proactive processes and technologies that increase a system's resilience to attacks provide superior ROI to reactive processes and technologies that respond to attacks. We will always need both sides; however, it is better to preempt attacks than to perform damage control. The most important part of a proactive, preemptive strategy is vulnerability assessment. Vulnerability assessment in theory is supposed to identify critical weaknesses in computing systems and provide the best solutions to mitigate these threats. The key to vulnerability assessment's ability to provide ROI is based upon the following factors: Accuracy in identifying critical vulnerabilities Predicting vulnerabilities that are likely to be exploited Providing useful remediation and mitigation steps for important vulnerabilities Copyright 2003, Reavis Consulting Group 5 Chief Security Officer White Paper Series for SPI Dynamics Frequency in repeating assessments "on demand" to reduce the window of exposure Web System Application Assessment ­ the Cure for Layer 7 Ills Web system application assessment builds upon traditional vulnerability assessment to provide capabilities to identify the previously mentioned web application vulnerabilities. The scanning technology that supports traditional vulnerability assessment performs fairly basic pattern matching. On the other hand, testing for web application assessment requires a significant technology leap into heuristics, as the totality of each web server is completely different from every other web server in existence. To summarize, web system application assessment requires new capabilities: Ability to identify dynamic "unique" vulnerabilities using adaptive and behavioral techniques, as well as standard "static" vulnerabilities Map the entire web system, including all links, proprietary code and connections to data sources Automation of tests to completely assess large web servers in a short amount of time As we will see, related to web application assessment, one technology ­ WebInspect from SPI Dynamics ­ has the ability to solve this problem. Introduction to the WebInspect Product Line from SPI Dynamics SPI Dynamics' WebInspect products are powerful tools for assessing the comprehensive security posture of web serving systems and applications. WebInspect products identify both the known vulnerabilities common to the chosen technology components as well as the critical vulnerabilities unique to that integrated system including detailed remediation reports. WebInspect products combine signature-based scanning of static "known" vulnerabilities with adaptive heuristics technology allowing it to identify vulnerabilities unique to those web applications, whether coming from proprietary applications, configuration mistakes or an improper network architecture. WebInspect products work in the following way: Completely identifying all vendor-provided components of a web server, including operating system, web server type, middleware, database and any other key component. Identifying static known vendor vulnerabilities. Finding unique and unknown application vulnerabilities. Copyright 2003, Reavis Consulting Group 6 Chief Security Officer White Paper Series for SPI Dynamics Finding misconfiguration mistakes. Completely mapping all areas of the web site, including both public and private areas and identifying proprietary applications and other technology. Executing adaptive testing technology that learns how the web application is supposed to operate and identifying unique vulnerabilities. Providing vulnerability remediation reports including application code fixes. Essentially, the WebInspect technology is functioning like a thousand "application hackers on steroids" and is finding shortcuts, error messages, web forms and many other hidden problems that a hacker can exploit. Developers assume everyone will use a website correctly ­ WebInspect does not. WebInspect tests the site in counterintuitive ways to identify unique vulnerabilities in the same way that a hacker might, and performs these tests automatically ­ providing comprehensive vulnerability reporting in an extremely short amount of time. Because WebInspect does complete hierarchical mapping and follows local links, it is not merely checking the web application and server integrity but will uncover problems in related machines such as database servers referenced by the web The Price of Unprotected Customer Data application. Therefore, WebInspect is On June 18, 2003, the FTC announced a settlement verifying the soundness of the with clothing retailer Guess Inc, over insecure web complete web serving system, site practices. In February 2002, web application including all the weakest links. vulnerabilities at Guess.com were found to reveal its customers' personal information in plain text. As part of the settlement, Guess must implement a comprehensive web security program and must submit to an independent security audit every two years for the length of the 20 year settlement. Whether through legal sanction, hacker compromise or loss of customer trust, web application vulnerabilities can be prohibitively expensive. WebInspect identifies these threats before anyone else has the opportunity to find them. WebInspect is designed with a customizable interface for experts as well as novices, recognizing that a diverse set of users will be very interested in assessing web server security. Application developers, webmasters, security engineers, quality assurance professional, e-business managers and consultants specializing in security testing all have the need for this type of technology. Summary Layer 7, or application vulnerabilities, are on the rise and are providing hackers with a path of least resistance in damaging computer systems and stealing information. Web server applications are the leading target of this new type of threat. Only by performing vulnerability assessments customized specifically to this threat can we provide assurance that web servers are immune to these risks. Unfortunately, this is an area that is either Copyright 2003, Reavis Consulting Group 7 Chief Security Officer White Paper Series for SPI Dynamics ignored by most organizations or checked manually, which provides only limited results. We recommend that all Chief Security Officers develop a program for adding the automated assessment of web serving systems and applications to their core best practices for Risk Management. We further believe that WebInspect from SPI Dynamics provides the optimal solution for curing the Layer 7 vulnerability problem. References Carnegie Mellon, "CERT/CC Statistics 1988-2003", July 15, 2003 http://www.cert.org/stats/cert_stats.html ComputerWorld, "FTC Settles with Guess on Web Vulnerabilities", June 19, 2003 http://www.computerworld.com/securitytopics/security/story/0,10801,82309,00.html SecurityFocus, "PetCo Plugs Credit Card Leaks", June 30, 2003 http://www.securityfocus.com/news/6194 About The CSOinformerTM White Paper Series is a service of Reavis Consulting Group. All content, unless otherwise noted, is the sole property of Reavis Consulting Group. Please send all inquiries to: Reavis Consulting Group 2553 Crescent St Ferndale, WA 98248 (360) 739-9629 (360) 380-1119 Fax www.reavis.org www.csoinformer.com research@csoinformer.com Copyright 2003, Reavis Consulting Group 8