Web Application Security

According to the US Department of Justice, 65% of business have been attacked by a cybercrime/security attack. Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Last year, almost 55% of vulnerabilities disclosed affected web applications. (Source: IBM ISS X-Force 2008 Trend & Risk Report)

Many of the exploits effecting data sensitive material mention "cross-site scripting," "SQL injection," and "buffer overflow."

The purpose of this blog is to provide a overview on the types of web application vulnerabilities.

Traditional Web Application Vulnerabilities:

Authentication: stealing user account identities

• Brute Force: trial and error to guess a person's login and password
• Insufficient Authentication: attacker access sensitive data without proper authentication
• Weak Password Validation: attacker illegally gets user's password

Authorization: illegal access to applications

• Credential/Session Prediction: method of hijacking or impersonating a user
• Insufficient Authorization: permits access to sensitive content or functionality that should require more access control restrictions
• Insufficient Session Expiration: permits an attacker to reuse old session credentials or session ID's for authorization
• Session Fixation: attackers force a user's session ID to an explicit value

Client-side Attacks: illegal execution of foreign code

• Content Spoofing: tricks a user that content they are viewing is legitimate and not coming from an outside source
• Cross-site Scripting (XSS): forces a website to echo attacker-supplied executable code, which loads into a user's browser

Command Execution: hijacks control of web application

• Buffer Overflow: attacker alters the flow of an application by overwriting parts of memory
• Format String Attack: alters the flow of an application by using string formatting library features to access other memory space
• LDAP Injection: attackers exploit web sites by constructing LDAP statements from user-supplied input
• OS Commanding: executes OS commands on a website by manipulating application input
• SQL Injection: constructs illegal SQL statements on a website application from user-supplied input
• SSI Injection: sends code into a web application, which is later executed locally by the web server
• XPath Injection: contructs XPath queries from user-supplied input

Information Disclosure: shows sensitive data to attackers

• Directory Indexing: is an automatic directory listing/indexing web server function that shows all files in a requested directory if the normal base file is not present
• Information Leakage: occurs when a website reveals sensitive data such as developer comments or error messages, which may aid an attacker in exploiting the system
• Path Traversal: forces access to files, directories and commands that potentially reside outside the web document root directory
• Predictable Resource Location: uncovers hidden website content and functionality

Logical Attacks: interfere with application usage

• Abuse of Functionality: uses a website's own features and functionality to consume, defraud or circumvent access control mechanisms
• Denial of Service (DoS): attacks prevent a website from serving normal user activity
• Insufficient Anti-Automation: a website permits an attacker to automate a process that should only be performed manually
• Insufficient Process Validation: permits an attacker to bypass or circumvent the intended flow of application

The most important thing to remember is that security breaches and attacks in the web application space is the most targeted by cyber-attackers. Though there is a tremendous paradigm shift from on-premise applications to web/cloud-based applications, not all web application providers are created equal. You must protect yourself and your organization by verifying if the web application provider has independent 3rd party security certifications from accredited organizations.

Additional Resources:
www.owasp.org
www.webappsec.org

Data Sources: US Department of Justice, owasp.org, webappsec.org,

What Makes a Bad Leader?

Every leadership book or article that I have ever come across always focuses on top leadership qualities, probably the easiest way to look at leadership I suppose. Select a handful of top companies and their respective CEO's and see what they have in common. Jack Welch: ex-GE CEO, John Chambers: Cisco, Steve Jobs: Apple, Meg Whitman: ex-CEO EBAY, Jeff Bezos: Amazon, Warren Buffett: Berkshire Hathaway, and Larry Fink: Blackrock. Qualities or traits that most often come up: 

• Clear vision and forward thinking
• Hires the right people for the right roles
• Collaborative in vision development
• Establish benchmarks to measure progress
• Results-based
• Admits errors or mistakes
• Commitment to maintaining integrity across the organization
• Leads by example
• Communicative and persuasive
• Business and financial acumen

It would make sense than that bad leaders would be the opposite of the traits listed above. In a recent Harvard Business Review article by Jack Zenger and Joseph Folkman, they found this to be the case. More specific, the biggest difference between the best leaders and the worst was their energy and enthusiasm. No surprise that some of the best leaders are known for their "charisma" which in many cases can also mean enthusiasm and passion for what they are doing.

What I found interesting is criteria such as inexperience, lack of "proper" education and unproven track record did not appear on the list of worst leaders. Inversely, one could then conclude that experience, an MBA degree from a top program and a proven track record are not the important traits for the most successful leaders. (The one X factor for me would be an MBA. I just think to be a top leader, you need to have an MBA. My case is partially stated below:)

• Jack Welch: BS from University of Massachusetts and MA from University of Illinois-Champaign
• John Chambers: BA and Law Degree from West Virginia University and MBA in Finance and Management from Indiana University
• Steve Jobs: Reed College studying physics, poetry and literature
• Meg Whitman: BA Economics from Princeton and Harvard MBA
• Jeff Bezos: Computer Science and Electrical Engineering from Princeton
• Warren Buffett: a stint at Wharton, then to University of Nebraska at Omaha. Rejected by Harvard Business School. MBA from Columbia University
• Larry Fink: BA and MBA from UCLA

If you want to be a top leader use the list below and do the opposite! Again, everything on the list can be controlled. Nothing states, "Get 15 years of management experience, get an MBA from Harvard or Wharton."

It all starts with energy and passion, believing in what you are doing and exciting those around you to feel just as passionate. Don't accept mediocrity, raise expectations. Have a clear vision of where you are now and where you want to be in 3 months, 6 months, 12 months. Collaborate with others and flatten out your organization. Encourage people to take risks, to innovate and to brainstorm new ideas. Communicate openly and be transparent.

Source: Harvard Business Review , June 2009

Share |

Are You Missing the Boat?

Earlier this week I was talking to a customer about general corporate strategy and advanced planning. He told me that he and his team were making some very bold moves and doubling their efforts around sales and marketing. "We see lots of opportunity out there right now and we certainly are not going to miss the boat." I applauded their ability to take risks.

I started thinking about his "missing the boat" comment...

It's no surprise that during these interesting economic times, executives need to be more visionary and predictive of the future than ever. Pretty hard to do when the crystal ball is blurrier than ever. Even the great Warren Buffett recently said he could not have predicted the losses of some of the investments Berkshire Hathaway made. So what do you do?

My point is this...it's pretty crazy out there and very unpredictable yet why are there some companies that are 100% maximizing this time as an opportunity rather than laying low and waiting for the storm to pass? Why are some companies moving forward at twice the speed and other companies thinking it's best to put the brakes on everything? Why are some companies reinvesting in its employees with training and career development while others are not? I suppose it depends on your vantage point though I would contend that it really comes down to how much you believe in the long-term viability of your company and your employees, any company's greatest asset, the employees. The companies that are doubling down now and reinvesting in their employees are the companies that are taking risks, making bold moves and not missing the boat. These are the companies that will come out stronger than ever when things are back to "normal."

Is there a difference between taking risks and just being stupid? Yes, of course. Two examples of companies that took bold risks when the timing was not the best...though is there ever truly a best time anyway?

-Apple launched the iPod 6 weeks after the September 11th attacks on the World Trade Center.
-Kellogg doubled it advertising budget during the Great Depression while other "played it safe." Kellogg aggressively marketed their Rice Krispies Cereal. (The rest is history.)

I get the point that for executives it's the difference between "missing the boat" and "sinking the boat." Makes sense, risk vs reward, the fear and uncertainly of making a decision that fails vs making a decision that would have succeeded.

Is it possible to find something in the middle? Perhaps. How about we leverage times like these to get extra creative, to be more innovative then ever by listening to customers and really understanding what they need to be successful? How about we develop products from outside-in vs inside-out, where we cross our fingers and hope/think customers will find value in the new enhancements? What about creating new, uncontested market spaces where competition is irrelevant? Easy to do, certainly not. Possible? You better believe it is.

Exercising "Innovative Leadership" right now can be the difference between giving the green light on a bold new idea and watching it succeed or watching your competitors take all the glory and revenue because you took a pass.

Don't miss the boat...

Thanks,
David Chao
The Web Conferencing Expert

Share |