Web hacking today is very simple to perform. The term ‘script kiddy' describes the issue well – people with only the bare minimum of hacking skills are able to easily compromise poorly protected websites for a small profit, for recognition or just for fun. It's far from heap overflow exploitation in modern operating systems with numerous built-in protection mechanisms that the attacker has to by-pass to execute arbitrary code on a vulnerable system.
Of course, advanced web hacking techniques exist, but unfortunately many websites contain pedestrian XSS and SQL injection vulnerabilities that can be easily exploited. Automated solutions (eg vulnerability scanners) can detect many types of web vulnerabilities, but are far from perfect – despite the great progress made in scanning techniques over the last decade.
SMEs usually have neither the time, nor budget or skills to deal with their website security. Given the number of companies on the market that sell and resell products and solutions in this area, it's not surprising that many SMEs are just overwhelmed or confused by the sheer variety of technologies available. Some IT companies claim to be experts in every possible IT security domain by reselling third-party products and solutions. Unfortunately, their preference is all too often to sell the most profitable products, rather than the most effective solution to the customer.
For large companies, web security is an even worse nightmare. A website hack can be catastrophic for a corporate's reputation as the breach is clearly visible to everybody, and is often the subject of a media frenzy followed by flaming in social networks. Infrastructure complexities, confused hierarchy and the integration of technologies from numerous vendors are the main problems for corporates. Working for SITA in 2004, I remember how complex our web infrastructure was; and the bigger the company, the more people, departments and even external companies are involved in managing corporate web applications (both internal and external).
Today I believe that the number of web applications used in large companies has multiplied ten-fold since my SITA days. All this introduces a huge headache for security departments who have to manage hundreds of interconnected problems at once. Although the IT security budgets of corporates are large, quite often they are not spent on penetration testing and security auditing. McAfee posted an article arguing against hiring ethical hackers, but it's enough to have a look on xssed.org which shows dozens of XSS vulnerabilities on McAfee's own websites to understand that it may have got things a bit wrong.
Another problem that many large companies face today is pressure from the top management and shareholders, who are mainly concerned with cash flow and stock market performance. Often critical web applications are publicly released before being tested at all because the entire budget had already been spent on mobile versions, “modern” design and other tributes to fashion. Sometimes developers are working 24/7 to release a new feature in a web application before a competitor does, leaving the IT security team unable to test application security in time. This is apart from the fact that independent security testing should be an integral part of the software development life-cycle (SDLC).
Ultimately, the result is an ongoing increase in the number of successful web attacks against all types of websites. New laws and regulations regularly appear, but they treat the symptom, rather than the cause of the problem making the IT security team's job even more complicated.
Things will only change for the better when everybody in the company, from junior web developers to C-level executives, realise that independent website security assessment is one of their key priorities and not just an additional “nice to have feature”.
Contributed by Ilia Kolochenko, CEO, High-Tech Bridge