Abundance of custom code turn online apps into attractive target.
The proliferation of online applications and services is exposing users to a new onslaught of security vulnerabilities that will be much harder to plug that those in traditional applications.
Online applications can suffer from a slew of vulnerabilities that allow attackers to steal confidential data from a server or the computer of a user that contacts the service. The most prevalent examples of such attacks are cross site scripting (XSS) and SQL injection.
Hackers in a SQL injection attack send instructions to a database for a bank or store by entering commands into online forms. In a cross site scripting attack, they submit JavaScript or other code to a website such as Gmail, Myspace or Digg. The code is then executed on the computer of each individual who visits the site.
The main problem lies in the large amount of custom code that is used to construct these applications, said Caleb Sima, chief technology officer and co-founder for Spi Dynamics, a company specializing security for web applications.
Software vendors traditionally repair security vulnerabilities by issuing a patch to all their users. A single Windows or OS X update within days will protect millions of users. But website operators will have to manually detect and plug each vulnerability in their web application.
"Microsoft can't come out with something that says: This will solve all SQL injections," Sima told vnunuet.com in an interview at the RSA Security conference in San Francisco.
Sima claimed that the company has a 99 per cent success rate at breaching the security of its client's online applications.
"It's not the technology that is the problem. It’s the implementation of the technology that is causing the security issues. People just take it an implement it without knowing what they are really doing."
Attacks against internet applications can be prevented if applications validate the code that is entered in an online forms. This ensures that attackeres can't insert commands such as single quotes and other strings that the database interprets as a command. But this too is a mostly a manual task.
Development frameworks such as Google's Web Toolkit, the open source Dojo project or Microsoft's ASP.Net Ajax 1.0 suite can provide some solace because they provide some pre-built code that performs custom functions. Some tools also offer code scanning features that warn developers when they leave common vulnerabilities in their code, but they won't prevent all SQL injection or XSS vulnerabilities.
The code for the online software is all hosted on a company server, allowing developers to provide users with new features as soon as they have developed the code. This leads to pressure from marketing and sales to quickly release new versions without first undergoing the proper security checks.
Sima isn't entirely pessimistic however. He noted that IT executives are starting to pay more attention to the security of online applications.
But he also warned that attackers are bound to turn their attention to new technologies that are user in online applications such as the XML Path Language that is used to access portions of an XML document. This could include the customer database or other confidential information.
"Because webservices are more widely used, we will see a lot more of the web applications be vulnerable to Xpath injection by the end of this year," Sima predicted.