Web Application Security

30 November -0001

In the latest Silver Bullet podcast Gary McGraw makes mention of the fact that he feels that web application security is attracting too much attention these days. In some ways I feel this observation is right, but in many ways I feel that it is dead wrong. In his book 'Hackers and Painters' Paul Graham makes a very compelling argument that most software should be available via the web. The idea is that most users don't really care about their platform, and providing software as a service frees users from all sorts of headaches. For instance, users don't have to upgrade their web based software, they don't have to worry about hardware requirements, they don't have to hassle with DLL's or anything like that. In the end, software on the web is much more convenient for users, as companies like Google and 37signals have proven with their online offerings. It is mainly for this reason that I think Gary McGraw is wrong.

As more and more software moves online, the typical software security problems follow that software. Many of the same issues that plague desktop software plague online software, but web based software has the added complexity of being delivered over a network. This actually increases the security problems of the software in many respects. Although online software vulnerabilities lead to less machine compromise exposure (it's tough to p0wn a users desktop via Google Docs), they do lead to greater authorization flaws (through one gap in Google Docs you might be able to view the documents of hundreds or thousands of users). So while the risk of a botnet explosion through a web based application is lower, the risk of data compromise is much higher.

Added to these shifting stakes is the fact that online software is a relatively new, and evolving field. As developers push the envelope of services that browsers can offer they also introduce new and subtle security holes. I think it is completely justified to devoting time and energy to securing web based applications for this reason. Although there are a host of automated tools available for auditing web applications many of these fall short. They certainly check for the low hanging fruit, but the subtle flaws introduced by logic or protocol are difficult to test for using automation.

Many companies are rushing to increase their online services. As cloud computing gains traction as a buzz word and an implementation more and more data is being pushed onto the network. Users are abandoning their bloated desktop operating systems and clients for a simple web browser, and as users shift, so does security. The rapid development in the field and the expanding user base provides a ripe target for attackers. With an online service attackers can compromise a user's data 24/7, not just when they're reading e-mail or have their home computer powered on and online.

Not only is the range of exposure growing, so is the difficulty of detecting attacks. Many web based attacks resemble legitimate traffic in many ways. Determining the malicious traffic from a valid request is difficult, especially due to the stateless nature of HTTP.

For all of these reasons I have to conclude that if anything web security should be moved more solidly into the limelight. Yes, other areas deserve attention and I'm not advocating shifting resources away from other critical fields in order to protect web applications, but now that an attacker merely needs a web browser and not a C compiler to exploit services we're probably going to see a sharp up tick in malicious activity. Organizations must be prepared to respond to these threats, and devote appropriate resources to web security.