Programming: The Heart of Web Security

July 2, 2005

Programming: The Heart of Web Security

1 The Vulnerability of Web Applications

Information and data transmission system security holds a place of ever-growing importance in today’s world. The expansion of the Web has provided businesses with an ideal platform for introducing and promoting their products and services.

The Web is accessible to all, being both easy to use and widespread. It frequently supplies the responsiveness necessary in today’s business environment. The emergence of portal sites, which bring together professionals in a given sector or industry, provides an essential tool for decision- making and communication among partners.

But to the extent that companies conduct their strategic activities (communication, promotion, commercialization, organization) on the Internet, they expose their actions, and the risks of being hacked become significant. The range of possibilities open to hackers is expanding to the point that certain business fundamentals, in particular confidentiality and integrity, are being challenged.

Let us now review the reasons why such security problems have arisen, the stakes involved, and some examples of possible security flaws.

1.1 Why Are There Web Security Flaws?
Web security flaws may be caused by server configuration problems, poor design, and/or poor programming of web site scripts.

The Web as we know it today is quite recent. The probability of programming errors has expanded with the profusion of programming languages and with the growing functional demands for commercial websites that are rich in content and constantly seeking to add variety and new services. Moreover, the pace of new development in this medium shows no signs of slowing. Companies must be quick to recruit information specialists, often with the result that they hire personnel who have little experience, and even less knowledge, of security problems.

In fact, few professionals today have both development competence and security expertise.

A host of factors accounts for the frequency with which security flaws are encountered.

1.2 The Stakes and the Risks
Many different types of flaws may be found on a website, and they are equally diverse in terms of the dangers that they represent. But all of them merit attention, because each can contribute to major problems.

Let us now turn to a review of the various types of security flaws, ranging from the least to the most severe:

Flaws that reveal information
Such flaws constitute the least of the problems that one might encounter, but their consequences can become extremely serious. An error of this type returns more information to the hacker than is appropriate. The hacker then uses that information as a basis to discover other, potentially more severe, problems.

Flaws of this type include directory displays (within an error returned on a page, for example), and errors returned by a script (which help the hacker to understand how the targeted script functions).

This category also includes certain Web server configuration errors, such as access to certain site directory listings (which reveal a great deal of information and which also allow sensitive files to be downloaded directly).

Flaws in Site Functionality
These flaws, which are by nature very serious, place web site functionality at risk. A hacker exploiting them can direct an application to his or her advantage. The seriousness of such flaws depends basically on the nature of the site. The risk to a simple Internet storefront may not be great, and frequently is limited to website defacement. But a very rich application may suffer more severe and varied consequences, such as access to the business’s customer files, espionage by competitors and prospective clients, and taking of unfair competitive advantage.

Posted in WhitePapers