Web Application Security

According to the US Department of Justice, 65% of business have been attacked by a cybercrime/security attack. Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Last year, almost 55% of vulnerabilities disclosed affected web applications. (Source: IBM ISS X-Force 2008 Trend & Risk Report)

Many of the exploits effecting data sensitive material mention "cross-site scripting," "SQL injection," and "buffer overflow."

The purpose of this blog is to provide a overview on the types of web application vulnerabilities.

Traditional Web Application Vulnerabilities:

Authentication: stealing user account identities

• Brute Force: trial and error to guess a person's login and password
• Insufficient Authentication: attacker access sensitive data without proper authentication
• Weak Password Validation: attacker illegally gets user's password

Authorization: illegal access to applications

• Credential/Session Prediction: method of hijacking or impersonating a user
• Insufficient Authorization: permits access to sensitive content or functionality that should require more access control restrictions
• Insufficient Session Expiration: permits an attacker to reuse old session credentials or session ID's for authorization
• Session Fixation: attackers force a user's session ID to an explicit value

Client-side Attacks: illegal execution of foreign code

• Content Spoofing: tricks a user that content they are viewing is legitimate and not coming from an outside source
• Cross-site Scripting (XSS): forces a website to echo attacker-supplied executable code, which loads into a user's browser

Command Execution: hijacks control of web application

• Buffer Overflow: attacker alters the flow of an application by overwriting parts of memory
• Format String Attack: alters the flow of an application by using string formatting library features to access other memory space
• LDAP Injection: attackers exploit web sites by constructing LDAP statements from user-supplied input
• OS Commanding: executes OS commands on a website by manipulating application input
• SQL Injection: constructs illegal SQL statements on a website application from user-supplied input
• SSI Injection: sends code into a web application, which is later executed locally by the web server
• XPath Injection: contructs XPath queries from user-supplied input

Information Disclosure: shows sensitive data to attackers

• Directory Indexing: is an automatic directory listing/indexing web server function that shows all files in a requested directory if the normal base file is not present
• Information Leakage: occurs when a website reveals sensitive data such as developer comments or error messages, which may aid an attacker in exploiting the system
• Path Traversal: forces access to files, directories and commands that potentially reside outside the web document root directory
• Predictable Resource Location: uncovers hidden website content and functionality

Logical Attacks: interfere with application usage

• Abuse of Functionality: uses a website's own features and functionality to consume, defraud or circumvent access control mechanisms
• Denial of Service (DoS): attacks prevent a website from serving normal user activity
• Insufficient Anti-Automation: a website permits an attacker to automate a process that should only be performed manually
• Insufficient Process Validation: permits an attacker to bypass or circumvent the intended flow of application

The most important thing to remember is that security breaches and attacks in the web application space is the most targeted by cyber-attackers. Though there is a tremendous paradigm shift from on-premise applications to web/cloud-based applications, not all web application providers are created equal. You must protect yourself and your organization by verifying if the web application provider has independent 3rd party security certifications from accredited organizations.

Additional Resources:
www.owasp.org
www.webappsec.org

Data Sources: US Department of Justice, owasp.org, webappsec.org,

What Makes a Bad Leader?

Every leadership book or article that I have ever come across always focuses on top leadership qualities, probably the easiest way to look at leadership I suppose. Select a handful of top companies and their respective CEO's and see what they have in common. Jack Welch: ex-GE CEO, John Chambers: Cisco, Steve Jobs: Apple, Meg Whitman: ex-CEO EBAY, Jeff Bezos: Amazon, Warren Buffett: Berkshire Hathaway, and Larry Fink: Blackrock. Qualities or traits that most often come up: 

• Clear vision and forward thinking
• Hires the right people for the right roles
• Collaborative in vision development
• Establish benchmarks to measure progress
• Results-based
• Admits errors or mistakes
• Commitment to maintaining integrity across the organization
• Leads by example
• Communicative and persuasive
• Business and financial acumen

It would make sense than that bad leaders would be the opposite of the traits listed above. In a recent Harvard Business Review article by Jack Zenger and Joseph Folkman, they found this to be the case. More specific, the biggest difference between the best leaders and the worst was their energy and enthusiasm. No surprise that some of the best leaders are known for their "charisma" which in many cases can also mean enthusiasm and passion for what they are doing.

What I found interesting is criteria such as inexperience, lack of "proper" education and unproven track record did not appear on the list of worst leaders. Inversely, one could then conclude that experience, an MBA degree from a top program and a proven track record are not the important traits for the most successful leaders. (The one X factor for me would be an MBA. I just think to be a top leader, you need to have an MBA. My case is partially stated below:)

• Jack Welch: BS from University of Massachusetts and MA from University of Illinois-Champaign
• John Chambers: BA and Law Degree from West Virginia University and MBA in Finance and Management from Indiana University
• Steve Jobs: Reed College studying physics, poetry and literature
• Meg Whitman: BA Economics from Princeton and Harvard MBA
• Jeff Bezos: Computer Science and Electrical Engineering from Princeton
• Warren Buffett: a stint at Wharton, then to University of Nebraska at Omaha. Rejected by Harvard Business School. MBA from Columbia University
• Larry Fink: BA and MBA from UCLA

If you want to be a top leader use the list below and do the opposite! Again, everything on the list can be controlled. Nothing states, "Get 15 years of management experience, get an MBA from Harvard or Wharton."

It all starts with energy and passion, believing in what you are doing and exciting those around you to feel just as passionate. Don't accept mediocrity, raise expectations. Have a clear vision of where you are now and where you want to be in 3 months, 6 months, 12 months. Collaborate with others and flatten out your organization. Encourage people to take risks, to innovate and to brainstorm new ideas. Communicate openly and be transparent.

Source: Harvard Business Review , June 2009

Are You Missing the Boat?

Earlier this week I was talking to a customer about general corporate strategy and advanced planning. He told me that he and his team were making some very bold moves and doubling their efforts around sales and marketing. "We see lots of opportunity out there right now and we certainly are not going to miss the boat." I applauded their ability to take risks.

I started thinking about his "missing the boat" comment...

It's no surprise that during these interesting economic times, executives need to be more visionary and predictive of the future than ever. Pretty hard to do when the crystal ball is blurrier than ever. Even the great Warren Buffett recently said he could not have predicted the losses of some of the investments Berkshire Hathaway made. So what do you do?

My point is this...it's pretty crazy out there and very unpredictable yet why are there some companies that are 100% maximizing this time as an opportunity rather than laying low and waiting for the storm to pass? Why are some companies moving forward at twice the speed and other companies thinking it's best to put the brakes on everything? Why are some companies reinvesting in its employees with training and career development while others are not? I suppose it depends on your vantage point though I would contend that it really comes down to how much you believe in the long-term viability of your company and your employees, any company's greatest asset, the employees. The companies that are doubling down now and reinvesting in their employees are the companies that are taking risks, making bold moves and not missing the boat. These are the companies that will come out stronger than ever when things are back to "normal."

Is there a difference between taking risks and just being stupid? Yes, of course. Two examples of companies that took bold risks when the timing was not the best...though is there ever truly a best time anyway?

-Apple launched the iPod 6 weeks after the September 11th attacks on the World Trade Center.
-Kellogg doubled it advertising budget during the Great Depression while other "played it safe." Kellogg aggressively marketed their Rice Krispies Cereal. (The rest is history.)

I get the point that for executives it's the difference between "missing the boat" and "sinking the boat." Makes sense, risk vs reward, the fear and uncertainly of making a decision that fails vs making a decision that would have succeeded.

Is it possible to find something in the middle? Perhaps. How about we leverage times like these to get extra creative, to be more innovative then ever by listening to customers and really understanding what they need to be successful? How about we develop products from outside-in vs inside-out, where we cross our fingers and hope/think customers will find value in the new enhancements? What about creating new, uncontested market spaces where competition is irrelevant? Easy to do, certainly not. Possible? You better believe it is.

Exercising "Innovative Leadership" right now can be the difference between giving the green light on a bold new idea and watching it succeed or watching your competitors take all the glory and revenue because you took a pass.

Don't miss the boat...

Thanks,
David Chao
The Web Conferencing Expert

The Law of Success

A Man’s Mental Attitude
by Napoleon Hill

A man’s mental attitude in respect to defeat is the factor of major importance in determining whether he rides with the tides of fortune on the success side of the River of Life or is swept to the failure side by circumstances of misfortune.

The circumstances which separate failure from success often are so slight that their real cause is overlooked. Often they exist entirely in the mental attitude with which one meets temporary defeat. The man with a positive mental attitude reacts to defeat in a spirit of determination not to accept it. The man with a negative mental attitude reacts to defeat in a spirit of hopeless acceptance.

The man who maintains a positive mental attitude may have anything in life upon which he may set his heart, so long as it does not conflict with the laws of God and the rights of his fellowmen. He probably will experience many defeats, but he will not surrender to defeat. He will convert it into a stepping stone from which he will rise to higher and higher areas of achievement.

The subject of a positive mental attitude is so important that it not only claimed first position in the list of the twelve riches of life, but it had to be included as an important part of the principle on pleasing personality, and has been mentioned in practically every principle of this course.

A positive mental attitude is an essential part of the key which unlocks the door to the solution of all personal problems. It is the magic quality of this key which enables it to attract success as surely as an electro-magnet attracts iron filings.

The whole secret of the formula by which you may turn defeat into as asset lives in your ability to maintain a positive mental attitude despite your defeat.

This is no man-made rule. It is a part of the imponderable phenomena of nature through which man has been provided with the privilege of drawing upon that power known as faith. Faith and a positive mental attitude are twin brothers! Where one is found, there also will be the other. The two are inseparable. Faith is a power which cannot be analyzed by science, yet it is the greatest power available to mankind.

And the strangest of its qualities exists in the fact that it is free, equally available to the humblest person or the greatest. Recognize this truth and you will be well on your way toward the great estate of Happy Valley.

Source: PMA Science of Success. Pgs. 396 & 397.

 

Develop One Weakness, Makes All the Difference

When you are good at something, it's very easy to rely on that strength to get you through most situations. You know you are good at it an it's worked in the past. Don't fix if it's not broken right? I get this but often times, what once worked in the past does not work in the present. One needs to constantly find ways to get better and improve.

A colleague of mine is a tennis player and he's an excellent player. When he first started playing, he had a great forehand and used it all the time. Instead of developing a backhand all he did was take two extra steps to his left and hit a forehand: powerful, accurate, down the line, WINNER.

Over time, he realized that to progress his tennis game, he had to develop his weakness, his backhand. Doing this would require hard work, training, and practice. Note that he did not focus on developing all areas of his tennis game, just one vital component: his backhand. He did not worry about all his "weaknesses," just the immediate and most important one that would pay the highest dividends once he mastered it.

Turning a weakness into a strength provided him with a competitive edge. What better way to reveal a killer backhand when everyone is expecting a forehand!

In order to survive in today's business environment, you need to push yourself to get better and round out your skills by improving your vital weaknesses, one at a time. Focus on developing skills and behaviors that drive the greatest results. Change at a faster rate than what is changing around you. If change is happening faster than you can adapt, you will not survive.

Thanks,
David Chao
The Web Conferencing Expert