BEST OF THE WEB

Web vulnerabilities need to be stamped out

Earlier this month infosec pros at at the Toronto SC Congress conference got an earful from Canadian Dave Lewis of Akamai Technologies on the need to ensure their Web sites don’t aid and abet distributed denial of service.

Over the weekend came another reminder in an article from CSO Online that there are too many vulnerabilities in Web sites that help attackers which can easily be plugged.

“The primary cause for constant and recurring website (and web application) vulnerabilities is the heavily-modified to fully custom-developed nature of these technologies,” it quotes David J. Venable,  director of professional services at Texas-based cloud networking platform Masergy Communications and a former NSA intelligence collector. The result, he says, is largely untested sites and applications that do not undergo the same rigorous and thorough testing that most commercial software packages such as operating systems and server packages do.

There are security holes in .PHP sites, third-party and homegrown software, and WordPress code and installations as well as in OpenSSL, Single Sign-On, and SQL and LDAP implementations and technologies.

Cisco Systems’ most recent annual security report noted that among the Web exploit kits available to hackers, one dubbed Angler uses Flash, Java, Microsoft Internet Explorer (IE) and Silverlight vulnerabilities. Once the exploit is triggered, the report notes, the malware payload is written directly into memory in a process such as iexplore.exe, instead of being written to a disk. “The payload delivered by Angler looks like a blob of encrypted data, which makes it harder to identify and block.”

Another, dubbed Sweet Orange, Sweet Orange distributes a range of malware to unpatched enduser systems, and includes exploits for vulnerabilities in Adobe Flash Player, IE, and Java.

Today security and application development teams have to work closer than ever to ensure these are plugged through change management, testing, and proper implementation. There are too many successful attacks that could be stopped cold if developers and security pros

Read the full article here.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web