A vast majority of Web sites possess serious vulnerabilities, says Jeremiah Grossman, founder and CTO of WhiteHat Security.
According to Grossman: "82% of Web sites have had at least one security issue, with 63% still having issues of high, critical or urgent severity.”
He spoke at the ITWeb Security Summit, in Midrand, this week, discussing top vulnerabilities for Web sites and a five-step plan of action to help curb threats.
The most urgent vulnerabilities, according to WhiteHat research, are cross-site scripting, insufficient authorisation, SQL injection, HTTP response splitting, and directory traversal.
Of the top vulnerabilities, Grossman believes SQL injection is still a huge problem and needs urgent addressing. This is because it gets the most information from companies through their Web sites, even though it only ranks fifth on the overall top vulnerability list.
“Although it is small compared to the overall count, you really do not want it,” he stated.
Grossman added that 70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
As a suggestion, he proposes a five-step plan to assist companies in addressing these vulnerability issues, starting with locating the Web sites they are responsible for. “Companies with more than five Web sites do not know where they are and thus cannot protect them. They need to find them all before deciding what to do,” he said.
Security Summit 2009 Expo
Visit the Security Summit Expo taking place from 26 to 28 May at Vodaworld, Midrand. Tickets cost R150 and more information is available online here.
Secondly, companies have to rank Web sites according to how critical they are to their business, and how severe the impact of threats to the sites would be, and then tackle the problems according to severity.
“In step three, you have to consider what kind of threats and vulnerabilities you should look at first. This depends, of course, on your business. Find out if you have random opportunistic, directed opportunistic or fully targeted hacker attacks and which will do your company the most damage.”
Step four involves checking what the current security posture is, by doing vulnerability assessments, penetration tests, and monitoring traffic to these sites, which will give companies an indication of how to deal with the problems.
“Lastly, you must decide how best to improve your survivability and think about whether you need to deploy SDL virtual patches or make a configuration change. You must also decide if you need to decommission the site or outsource it, according to your needs,” Grossman concluded.
Share