Monday 19 April 2010

No surprises in the OWASP 2010 tail – Injection remains the number-one stinging risk in 2010

OWASP have released their 2010 “top 10” Application Security Risks. Topping the list (again) is the “Injection” risk. People involved in both application security and database security will not be surprised. The world is awash with applications that have each been poorly engineered in their own individual manner. It is an easy mistake to make, but very difficult to rectify without good tools and technologies to deploy.

Comparing this year’s results and those from 2007 shows that the top three risks remain unchanged 1. Injection; 2.0 Cross-Site scripting (XSS); 3. Broken Authentication and Session Management. New entrants to the list are: Security Mis-configuration, ranked sixth, and Un-validated Redirects and Forwards coming at the bottom of the list.

It is interesting that security mis-configuration is a rising risk. It seems that system owners are at least trying to use security features, but are failing to get it correct. Getting any security system just right without disturbing the business is notoriously difficult.

Even more difficult is retrofitting security into an enterprise application environment which has a complex array of components – each tailored to the business. Good application security requires strong knowledge of the application operation combined with the ability to accurately prevent (or block) out-of-policy interactions. For example, the protection of a database from a poorly written web facing application requires a firewall that can determine that a query is inappropriate and stop it from ever reaching the database.

One does not need a crystal ball to forecast next year’s winner of the list!

Sunday 11 April 2010

Modern espionage, social media and the cloud

Reports are emerging of another attack on government computers, this one by a group in China that targeted networks in India and other countries. Among the data the hackers obtained are information on missile systems and relations between governments as well as correspondence from the Dali Lama’s office.

The researchers who identified and tracked the hacker’s actions have identified social media as the main means to infiltrate the networks. In the report, the researchers point to Twitter accounts, Yahoo Mail accounts, Google Groups and Blogspot blogs as among the hackers’ infrastructure. Compounding the problem is that some of these networks used cloud configurations, which the report alleges provides a “powerful mode of infiltrating targets who have become accustomed to clicking on links.”

What the researchers are also clear about – and perhaps the most alarming aspect – is that there is no way to track exactly what the attackers did once on the networks. Not being able to know the state of data at any time is the key to this hack – rather than the security vulnerabilities from the cloud infrastructure or social networking. We have advocated a security defense from the inside out – rather than the commonly accepted firewall to database approach.

In this threat environment, governments and others in the public sector will be targets. Quite simply put, the information that they hold is valuable to someone, and the hackers know this. What the report should signal to all groups holding sensitive information is to assume that your network will be infiltrated. What information will be at risk and how will you know if it is being accessed inappropriately? Knowing the answers could mean the difference between data protection or a devastating hack.