Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Web Apps Pose Security Threat

    By
    Dennis Fisher
    -
    January 29, 2001
    Share
    Facebook
    Twitter
    Linkedin

      Even if your network is not totally secure, you probably thought you had defenses in all the right places. Think again.

      The next wave of hacking schemes focuses on a vulnerable and extremely difficult area to defend: Web applications.

      Such application-level hacks differ from typical brute-force attacks such as distributed denial of service or other break-ins in that they can come from any online user, even authenticated customers at online banks or stores. And the area has been largely neglected as companies scramble to protect their networks with firewall, intrusion detection and anti-virus software.

      “A lot of people are still struggling with network security, so they havent gotten to this yet,” said Mike Serbinis, chief security officer at Critical Path Inc., a San Francisco-based provider of hosted messaging services. “Application-level hacks are difficult because youre dealing with a lot of intricate detail, but most [sites] arent at a point where their security can handle them.”

      Application hacks take advantage of vulnerabilities that normally occur in many HTML pages. A person hacking into a Web page could, for example, edit Web site parameters within a URL field and adjust a price. In addition, the URL field is often open to other such “forced browsing” attempts and can provide access to Common Gateway Interface, Visual Basic or Java scripts and, by extension, the Web server. The problem is that once a user is assumed to be authenticated and has reached this area of a Web site, there is little that can be done to prevent him or her from doing damage.

      “Most of the successful attacks are application attacks because most of the important data is stored in those systems,” said Alan Paller, director of research at the SANS Institute, in Bethesda, Md. “Applications never had a very big face to the outside world, and the OS had all of those ports you could try. So, it was just convenience that most of the attacks in the past were on the OS. If you want the customer log or the credit card data, youre going through the application.”

      The Computer Security Institute, of San Francisco, surveys different types of hacks and their targets. Its latest figures report that 59 percent of corporate respondents cited their Internet connection as the frequent point of attack, while 38 percent cited their internal systems.

      Some executives fear application hacks originate from employees themselves. “Its very easy to shield a single point of access,” said Kevin Dunn, CIO and chief technology officer of EdExpress Inc., a Dallas company that helps parents save for college. “But once you have someone inside the network, its tough to give them enough access to do their jobs but not be able to cause trouble.” Add to that the hundreds or thousands of partners and trusted outsiders who are routinely given access to a companys Web-based applications, e-businesses have a potential disaster that traditional intrusion detection systems and firewalls arent designed to handle.

      “Application security has been ignored by firewall manufacturers because its difficult,” said Nir Zuk, CTO of OneSecure Inc., a Denver-based managed security provider. “A lot of these sites think that because their sites were written in Java, which is a pretty secure language, theyre safe. But firewalls and intrusion detection systems arent the right solution for application security.”

      There is hope for Web application developers and managers who want to plug the holes before they are exposed.

      Sanctum Inc., a Santa Clara, Calif., startup formed by one-time security experts in the Israeli Defense Forces, has engineered a software solution thats designed to defend against application hacks, as opposed to network hacks.

      The companys AppScan product audits a site, checking all pages, links and scripts against a knowledge base of known vulnerabilities. The software then simulates the attack and rates the likelihood of the applications being vulnerable to hackers. AppScan 2.0, due early next month, adds a feature that automates the process.

      Sanctum sells AppScan to enterprises starting at about $20,000 per year per user, as well as to security service providers and auditors, who can use the tool to augment other scanning techniques. AppScan customer Yahoo Inc. uses the product in its development process, checking for holes as an application is created and making sure its solid before it goes live.

      “In general, application security is something that is going to become more of an issue as time goes by because in the rush to market, sites only concentrate on whether a site works or not,” said Arturo Bejar, a technical specialist for the Santa Clara portal. “Its not about if a security hole is used, but can it be used? [AppScan] helps identify those things in a more automated way, and before, it was by hand.” ´

      1

      2

      3

      4

      5

      6

      Dennis Fisher
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×