A Positive Impact on Web Application Security

Jeremiah Grossman
Jeremiah Grossman

What does Web Application Security Consortium do and what are its goals?

Grossman: As an active community and international group of experts, industry practitioners, and organizational representatives, WASC develops and advocates standards and best practices for Web application security. We define, for example, criteria for the evaluation of firewalls and create an open forum for the discussion , and dissemination of knowledge pertaining to web application security. Therefore, WASC facilitates the exchange of ideas and organizes several industry projects including the Threat Classification and Web Hacking Incident Database and consistently releases technical information, contributed articles, security guidelines, and other documentation. We also educate the market regarding Web application security related matters and create a vendor neutral champion of the web application security industry. Already we’re seeing the positive impact of WASC’s work in software development, vulnerability assessment, and forward thinking ideas such as central repositories for secure code snippets, proof-of-concept attacks, and patterns for secure software design.

You’re one of the founders of the consortium. Where did the idea come from?

Grossman: At the time, the Web application security community was scattered. Newcomers didn’t know where to go, standards of best practice were unknown, and community initiatives lacked a home. Robert Auger – he is a known expert on Web application security vulnerabilities and member of the Board and Officer of WASC – and myself, we sought a way to overcome these challenges and envisioned a place where a community of experts and others interested in Web application security could come together to work on projects and discuss issues they felt were important. Many others agreed. In January of 2004, with the support of a collection of recognized experts and organizations including Caleb Sima, Ryan Barnett, Jeremiah Grossman, Robert Auger, Yuval Ben-Itzhak, Sverre Huseby, Amit Klein, etc. WASC was founded and a set of core principals established.

Who belongs to the Consortium now?

Grossman: Developers, executives, managers, and others interested in Web application security. WASC functions as a meritocracy with a hierarchal structure consisting of Members, Officers, Committee Member, and Board Members – essentially a framework to keep things organized. We are still growing and improving upon our structural model. Participation has always been free and open to all.

What problems can develop when using Web applications?

Grossman: The software development practices and threat model of web applications is completely different than previous forms of software. Today when software is made available via the Web, potentially hundreds of millions of people have access. The vast majority is happy to use the software as designed, but others are not so polite. This new environment has opened many new types of attacks that did not previously exist, such as XSS and SQL Injection, and software vulnerabilities that did exist have increased exponentially. Never before has software been instantly accessible by over 700 million users. A single exploited vulnerability, or software bug, such as a Web Worm can prove devastating. As more organizations become dependant on Web applications to conduct business, the protection of the sensitive information they collect becomes that much more important.Furthermore, inconsistent implementations of the HTML, CSS (Cascading Style Sheets) and other browser specifications can cause problems in Web application development and support. Cookie handling, input data formats, and output format checking are all nebulous areas when it comes to web browser and web servers. Additionally, the ability of users to customize the display settings of their browser – such as selecting different font sizes, colors, or disabling scripting support – can interfere with consistent implementation of a Web application.

How does Web application security work? And how important is it?

Grossman: Web application security is the study of security issues: How can Web application be attacked and protected against these attacks? Every place a web application receives input or provides a business function there is an avenue for attack. For instance, if a shopping cart is expecting once price for an item, and its maliciously modified to a lower amount before the request is sent, without sanity checking controls in place fraud could occur. The members of the WASC, for example, develop and promote industry standard terminology for describing security issues.

What do the standards for Web application security developed by the consortium look like?

Grossman: We’ve had two successful standardization efforts. First, there is the Web Security Threat Classification , a cooperative effort to clarify and organize the threats to the security of a Web site. With the creation of the Web Security Threat Classification, application developers, security professionals, software vendors and compliance auditors have the ability to access a consistent language for Web security related issues. The Web Application Firewall Evaluation Criteria (WAFEC) (http://www.webappsec.org/projects/wafec/) is a testing criteria for evaluating the quality of web application firewall solutions. WAFEC is a collaborative effort by a team of security experts, industry practitioners, and vendors designed to provide an independent and vendor-neutral set of criteria for evaluating Web Application Firewall (WAF) products. WAF technology has become an integral component of Web security infrastructures and a requirement for protecting Web applications from breaches that can lead to the theft of financial and privacy data. However, both vendors and user organizations tend to view WAFs in different ways, so there is no single baseline for comparing competing products. Therefore, choosing the right product is complex and time consuming. The WAFEC project not only makes comparison possible, but enables users to understand the requirements and the inner workings of various application defense mechanisms. It provides a standardized and easy to understand structure for evaluating WAF technology and includes a testing methodology that can be used by any technician to independently assess the quality of a WAF solution. The aim is not to document the features that must be supported in order for a product to be called a web application firewall. The purpose is to draw one’s attention to the features that are of potential importance to a given project by answering questions, such as ’Can the device be operated in both passive and active (inline) mode? How can the WAF be deployed to access the protected data? Does the WAF support complete virtualisation of the external application representation?’

How does WASC “role out” its ideas to people and companies?

When WASC has a project ready for public consumption, announcements are sent out via the Web Security Mailing List and the main WASC website. From there we general receive a fair amount of community feedback on how to improve the following updates.

In light of increasing Internet criminality, what sort of attacks on Web applications have you seen so far?

Grossman: It’s rare to see completely attacks. What we have been seeing recently are ways to increase the severity of current attacks and also attacks used in combination, specifically Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).

What can be done to counter such dangers?

Grossman: A possibility is to find and fix Web application vulnerabilities, such as those specified in the Web Security Threat Classification. Implement enterprise-wide standardized input sanity checking, output filtering, and session state libraries to reduce flaws from the beginning. And develop a solution stack to achieve defense in depth. The responsibility for conducting a secure e-commerce transcends all levels of the organization from business management, to security infrastructure, to software developers. Everyone has a role to play.

How have Web applications changed in the past few years? Are there new trends? What direction do you think that the trends will take?

Grossman: Millions of new Web sites are launched every month. Fortunately, the frameworks underneath Web application have steadily grown more secure. As a result, the number of common vulnerabilities we see has been significantly reduced, specifically Cross-Site Scripting, SQL Injection, and Session-based issues – not to say that these issues are anything close to being eliminated. However, we’ve also seen Web applications grow in size and complexity, which increases the chances of vulnerabilities being introduced. I think we’ll see a decrease in overall vulnerabilities in SQL Injection and Session Hi-Jacking and increase in targeted attacks on financial and social networking Web sites.

What roles do social networks and the Web 2.0 movement play? Do they foster the risks that have already been noted?

Grossman: Community content-based Web sites MySpace, Live Journal, Yahoo Mail, Gmail, and others are attractive targets because malicious hackers are able to isolate and infect a large number of users. XSS is a popular method used to transfer JavaScript Malware, whose potential impact has been increasing during the last year. We can expect to see an increase in Web worms on these particular types of Web sites.

Do you have a personal goal that you want to achieve?

Grossman: For WASC, I’d like to see the organization continue to flourish as a trusted location for Web application security knowledge. If the community is able to expand through WASC, then that is a successful and worthwhile endeavor. For Web application security as a whole, I’d like to see the percentages of vulnerable Web sites reduce from the vast majority to a fractional few.