Wyatt Kash | Web app weak spots
It's hard to overstate the explosive impact Web applications have had on the way we work, conduct business and stay informed. Likewise the economic value they have created.
However, the ad hoc evolution of Web applications has also produced something insidious: a vast array of embedded security vulnerabilities that risk undermining information systems ' and the enterprises that rely on them.
Until recently, most information technology administrators haven't worried as much about securing Web applications as they have their internal networks. That posture needs adjusting.
As GCN Senior Editor Joab Jackson reports in this issue, Web applications and the servers that enable them have become the new weakest link in network security by providing a foothold for hackers to gain deeper access into an enterprise's internal networks.
The SANS Institute, which researches IT security vulnerabilities and offers training courses to secure them, has found that more than half of new vulnerabilities are related to Web applications.
To gain a clearer perspective on the matter, GCN enrolled Jackson in one of the institute's weeklong classes.
Jackson's report not only provides a detailed look at how attackers break into Web sites but also, more chillingly, how they find their way into organizations' operating systems.
Several factors are contributing to the problem, he found.
As IT administrators took greater measures to lock down their operating systems, hackers had to look elsewhere for points of access.
It didn't take long to find them in Web applications. Because Web applications are usually designed by developers rather than program engineers, many are riddled with security flaws.
Administrators running Sen. Barack Obama's presidential campaign Web site found that out the hard way a few weeks ago. A form on the site intended for visitor comments hadn't been configured to filter the data being submitted through it. A hacker successfully injected code into the form that redirected users to Hillary Clinton's Web site.
Web site abuses have been taking place for nearly as long as the Web has existed.
What's changing is the extent to which Web applications link to internal enterprise networks ' and how quickly hackers have learned to penetrate them by exploiting Web applications. What needs to change is the degree to which IT systems administrators take a proactive role in the security of their organizations' Web sites.