The news from WhiteHat Security is in -- and it isn't very good.
The firm released a study this week that says nine out of 10 websites have at least one vulnerability, and the average site has seven. The insurance industry is the most threatened, with 84 percent of sites suffering urgent, critical or high severity vulnerabilities. The top two problems, according to this report on the findings in Dark Reading, are cross-site scripting and cross-site request forgery (XSS and CSRF).
XSS and CSRF are most associated with Web 2.0 interactivity and collaboration. For hackers and crackers, this is just what the doctor ordered. Vulnerabilities will become greater as this advanced version of the Web increasingly is used by businesses.
Put simply, as complex multimedia and interactivity grow, the portions of sites that are ripe for mischief -- "attack surfaces," in security parlance -- grow more numerous. The continuing battle to keep the Internet safe led WhiteHat to institute a formal educational program. In my interview earlier this month, Bill Pennington, WhiteHat's vice president of services, said sites made in a more innocent day are being careless with Web 2.0:
What you see people do is that they bolt on Web 2.0. They take Web 1.0, 1.5 and bolt new functionality to make it pretty. That opens it to a whole can of worms.
Another problem, Pennington says, is that developers can be a bit na�ve:
A lot of times, when we speak to developers, security people hear comments that would blow our mind, such as, "Why would anyone want to get information out of my database?" Well, they want to do that. We cover why as well as how. A lot of developers don't understand the threat landscape of the Internet. They say, "My site does not have a lot of important data. Why would they want to hack it?" There are any number of reasons. A lot of them have to do with propagating malware across the Internet.
Clearly, the struggle to protect Web sites is reaching a new level. An executive from Xythos Software offers some general advice on securing Web 2.0 and related applications. Among the ideas is creating a universe of secure Web applications available through a portal that would eliminate the need for employees to use more risky consumer tools. That, of course, is an answer only for deep-pocketed companies. More practical approaches include experimenting within departments or in specific projects to see what works and having a well understood usage policy. These steps will at least cut down on some of the most obvious mistakes.