Web Apps Come Under Attack In Perverse Coming Of AgeWeb Apps Come Under Attack In Perverse Coming Of Age

With the launch last week of Google's hosted application suite and availability of Microsoft Office Live, online application delivery appears ready to challenge the desktop computing model. As Web applications become more mainstream, the inevitable question arises: Are they vulnerable?

You bet. Consider that in the last week of August, more than 60 Web application vulnerabilities were found, according to the SANS Institute's @Risk bulletin. Compare that with the number of vulnerabilities found that week in Windows (two), Mac OS (two), Linux (three), Internet Explorer (two), and third-party Windows apps (nine).

Last week's hack of an AT&T Web site that sells DSL equipment, resulting in access to nearly 19,000 customer records, could very well have been carried out via a vulnerable Web app. Among the most common methods: cross-site scripting attacks that lift sensitive information, embedding JavaScript malware in a Web page that's activ- ated when the page is viewed, and SQL injections. As of Sept. 1, AT&T declined to provide details about the attack on its site, which is run by a third party, but said it's working with an internal forensic team and law enforcement.

Bad Reputation
Web apps have a reputation--though it's unclear how deserved--for not having undergone as many code reviews and quality-control processes as conventional software. "Web applications tend to be written less tightly than other applications," says Alan Paller, director of research at SANS.

Douglas Merrill, VP of engineering at Google, acknowledges that the programming methodology for Web applications isn't as mature as for desktop apps, but he emphasizes that Google has its own set of best practices. Instead of having a centralized security group review code before it's released, Google uses what Merrill describes as a distributed system that enlists every engineer to make programs more secure. That means training every software and QA engineer to look for security problems and practice secure coding. An engineer's code is always reviewed by a second engineer whenever it gets checked in, and again during design, implementation, and launch. So far, Google's online applications have stayed off the @Risk list.

Still, as the Web application model takes root, so, too, will its problems. Paller predicts an increase in attacks to exploit online application protocols such as the Simple Object Access Protocol, PHP, and JavaScript, rather than exploit holes in the apps, by "piggybacking" on data sent from the Web application to the browser-based client.

Attackers, meanwhile, are tracking Web application vulnerabilities disclosed through such reports as @Risk and SecurityFocus' Bugtraq. When they learn of a commer-cially available Web application with a known flaw, they'll utilize Web search tools to find sites that use the app. The attacker can then probe for applications that haven't been patched properly.

It's enough to persuade Kevin Jaffe, director of corporate systems at Priceline.com, to steer clear of the hosted software model for now. "We're not so concerned about, say, vulnerabilities within certain Microsoft applications because there are three or four levels of security around this company that you've got to get through to begin with," he says. Jaffe adds that crooks don't need specialized application-specific knowledge to attack Web apps written with pop- ular languages. "When you start dealing with Web-based applications, you've lowered the common denominator for the typical hacker," he says.

That's not to say Priceline won't ever adopt hosted Web apps--Jaffe, in fact, thinks they're the future because of the overall benefits of centralized maintenance and support. He just doesn't want to be one of the first victims while the security bugs are being worked out. "Our culture from the beginning has always been, let somebody else jump out there first," Jaffe says.

Simpler Patching
Many IT managers don't see Web applications as particularly vulnerable. "I would be no more or less likely to consider a Web application like Google's Writely over, say, Microsoft Word," says Brad Friedman, VP of IT for Burlington Coat Factory, which uses the Star/Open Office desktop suite. Both require security measures to make them less vulnerable, he says.

While there's no such thing as perfect security, companies have to determine for themselves whether the possible benefits of online applications outweigh the risks. "When a [Web application] problem is in fact found, trying to fix it is never trivial," Google's Merrill says. "But it's much simpler to patch a server than it is to patch some large number of clients distributed across some large number of networks."

SANS Institute's Paller agrees. "One huge positive is that the patching is going on in real time," he says, "whereas most of us aren't doing that." And because patching can be such an onerous chore, many organizations will consider ditching PCs altogether in favor of applications delivered through a thin client.

For large companies that have dozens of Web sites and applications, the recent attack on AT&T's DSL equipment site should provide plenty of incentive to assess security, says Jeremiah Grossman, a former Yahoo information security officer who's now CTO with Web application security provider WhiteHat Security. Site scrutiny should be prioritized based on the nature of the information that can be accessed--is customer data at risk?--and the vulnerability of the apps they run.

Whether it's as a hosted service from a vendor or from internally managed Web sites, online software is in the crosshairs of malicious hackers. It may be the future, but it won't be without security risks.