Tech Success: Hackers exploit Web apps

But imagine using a Web-based form on a government site to steal data rather than gather it. Instead of filling out the form as intended, a hacker could enter a Structured Query Language question, which searches the databases behind a Web application and delivers confidential data to the hacker.

"It's a way of stealing data and information that was thought to be protected, but it really isn't," said Michael Weider, chief technology officer for Watchfire Corp., a Waltham, Mass., provider of Web application security technology. "The reason why this works is because the developer who created that Web form never thought that anybody would ever try this hacking method. But lo and behold, it does work."

As government agencies continue to rely increasingly on the Internet, security around Web applications is fast becoming one of the most critical issues that federal IT departments face, experts said. Tools are available to secure sites and those under development against this growing threat.

The Open Web Application Security Project, a community focused on finding and fighting causes of insecure software, said invalid input is one of the most critical Web application vulnerabilities. Invalid input is information from a Web request that is not validated before the application uses it. Hackers use the flaw to attack back-end components, the group said.

When most security issues focused on networks, organizations deployed firewalls and other technologies to defend against attacks. The idea was to build an effective perimeter around an organization's infrastructure, not to worry about what was going on inside that perimeter.

The Web changed all that. A perimeter defense becomes ineffective when people outside an organization can interact directly with databases and applications inside it.

"Because your actual applications are publicly available to everybody out there on the Web, they are an enormous security issue," Weider said.

Some industry experts estimate that as much as 75 percent of the attacks on an organization's computer systems are focused on applications rather than networks. That's likely the case because hackers know that organizations have focused on network security and are now trying to improve Web application security.

The financial services industry was among the earliest adopters of Web application security measures to protect applications such as paying bills and online banking. Other industries and government agencies are catching up, said Erik Peterson, vice president of product management at Atlanta-based SPI Dynamics Inc., a Web application security technology company.

SPI Dynamics' tools, WebInspect and Assessment Management Platform, are similar to network security assessment tools.

WebInspect is loaded onto a computer and told which URLs to check. A wizard asks what types of assessment to do and whether any specific compliance regulations, such as those of the Federal Information Security Management Act, should be checked and documented.

"At that point, the tool is fully automated," Peterson said. "It starts to crawl through the Web site, and after it's finished, it goes through all the results it found, and comes back with a list of where it's going to start auditing the Web site."

As with a network assessment tool, the time it takes the tool to crawl the site ? anywhere from 30 minutes to a few hours ? depends on the Web site's size.

Watchfire's tool AppScan 6.0 also checks Web applications in an infrastructure, tests for security issues and files reports and recommendations. Watchfire is at work at many civilian agencies and defense organizations, some of which have as many as 5 million pages on their Web sites, Weider said.

"What our technology does is scan through those Web sites, find all the applications and automatically attack them like a hacker would to find vulnerabilities. It helps organizations prioritize those things and get them fixed," Weider said. "This is for both live Web sites and ones in production as well, to help an organization establish testing as part of its software development lifecycle."

Another factor that makes this an important issue is that most new applications today have some sort of Web user interface, which makes them vulnerable to Web-based attacks.

"Our product is designed to test any Web-enabled application, so we can test those thin-client types of applications that are used behind the firewall for internal purposes, as well as external- or public-facing applications," Peterson said.

With the proliferation of Web applications both inside and outside agencies, it's extremely important that systems integrators know that application security is not a one-time thing, but a process that needs to be done continually, Peterson said.

"You take a look at what's going on with network vulnerability assessment, and it's no different," he said. "The threats are constantly evolving; things are not slowing down by any means. And if you're not doing an application assessment of your Web app at least once a quarter, at a minimum, then you're really running blind."

Quality assurance testing is the norm on new applications, and security testing should also become the norm, Weider said.

"While that seems sort of obvious, it is a relatively new issue that most organizations are not doing," Weider said. "It is the assumption today that you would do some level of sanity [quality assurance] testing before you'd deploy an application. You need to think of security being the exact same thing."

Staff Writer Doug Beizer can be reached at dbeizer@postnewsweektech.com.