Following the White Rabbit - A Practical Security Blog
Welcome! Let's follow the White Rabbit down the Web Application Security rabbit-hole... This blog is less about awesome h@><0ring and more about practical, real-world web app security measure and counter-measures. If you're looking for a blog to relate to your day-job - this may just be it. As long as you're here, bookmark (Ctrl + D) it, drop it in your reader and leave a comment!

The Problem of "Too Many Problems"

Hey everyone... now that I'm back to regularly posting I thought I'd address the issue I've faced with the last few customers we've gotten the pleasure of visiting.  Speaking from experience you never want to introduce a tool or process that will overwhelm people - it tends to cause that "deer in the headlights" reaction... and we all know how well the deer normally fares, right?


That being said, I think I've found a problem that's plaguing companies that are lagging in the Web App Sec program department (yes, there are companies who are now just starting to get into the thinking of building a program to protect their web sites and applications) even more than the political problems they face, or which tool/service to purchase.  Nope... there is even a bigger problem.


I will frame it for you by giving you an example of a recent product validation I was a part of... and what turned out to be a brilliant disaster.  It was brilliant in that our suite of web application black-box testing tools performed beautifully, and uncovered way more than the customer (or the competing products) were expecting.  This is where the disaster struck...  As this was all being written up into a nicely packaged recommendations and findings document we sat down with the person who was in charge of the validation project.  Immediately, my contact's face turned a few different shades of pale before going completely white - he was shocked at what we found and how simple it was to completely and fully compromise their main public-facing website.  After the initial shock wore off and color returned to his face he was excited that we would be presenting this to the "senior security group" headed by the CISO the next day.  Here is where things started to go sideways.


The presentation the next day kicked off as expected... we presented our executive summary, the methodology of our product validation and moved on to the specific findings.  In this case, since there was so much wrong I stripped out only the Critical and Highly Important issues and bundled the rest into a "non-mission-critical" bucket for the sake of brevity.  My goal was to move through that into our recommendations section where we would propose what the customer should do next, including building a security validation program and starting to integrate into the SDL; let's just say I never got that far...


As soon as I hit the Criticals section I noticed something wrong.  Immediately the faces of the folks in the room started to look... befuddled I think is the correct word.  Some got that glazed-over look I get when my wife tries to explain the complex relationships of her friends and such... they were overwhelmed, lost, and confused.  I stopped and asked if there were questions... no one raised their hand or spoke up so I continued.  I got about 1/2 way through the critical issues section when the CISO, hand half-raised, looked at me and said "This is way too much ... I just don't think we can handle it".  Naturally I thought he was talking about the depth of the presentation... or the mountain of information I was giving them... nope - he was referring to the number of things that we had found that were wrong with the site.


What happened next is nothing short of terrifying... faced with the mountainous task of comprehending, addressing and remediating these 100+ critical issues the CISO was frozen in his place... like a deer in the headlights.  I guess I can't really blame him given that any one of the 20+ SQL Injection vulnerabilities uncovered could entirely compromise their main system.  The question on the table now was - what do they do?  After thinking about it and talking amongst themselves for a few minutes (at this point the presentation was halted) they agreed that there was nothing they could do - and they would simply leave the production systems alone and simply focus on the websites which were currently in development.  The deer had gotten so bedazzled with the oncoming car it didn't care that it was about to become an inevitable victim.


What just happened?  What we have here is a failure to launch.  Given the overwhelming nature of the issues, some companies simply choose to "do nothing" because the resource requirements of tackling all those issues seem impossible.  Rather than sitting down and prioritizing sites, vulnerabilities and required effort they simply choose to be overwhelmed.  Well, I'm not sure choose is the right word here... but you know what I mean.  It's not trivial to look at over 300 critical and high-ranked vulnerabilities on your main site and resolve to prioritize and address everything in a sane fashion.  It takes resources and a tough resolve to make that happen... and it's not a trivial task as I've said.


That being said... the lesson learned here is that I shouldn't take for granted that given a moutain of security risks - someone will be able to find a starting point and then be willing to push that boulder up hill.  Going forward I'm definitely going to be offering more tactical and strategic assistance from the years of experience solving these sorts of partially-psychological problems in security.


If you're faced with one of these crises... don't despair!  First remember that others run into the same headlights.  Second - don't think you can't do it... with a good risk-based approach and a sound methodology you can transform that overwhelming moutain of security risks into a big win for you and your department.


 


Good luck!

Comments
Anonymous(anon) | ‎06-26-2009 05:21 AM

i hate WAF with a passion

but in this particular case, i would have plugged a WAF in fron the said vulnerable website as a compensatory (and temporary) control

Search
About the Author
Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging t...
About the Author(s)
  • Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging the gaps between security technologies and business needs to reduce enterprise risks and create embedded, lasting solutions on behalf of the HP Application Security Center group. He has spent over 10 years in various facets of information security and data protection, building programs at companies ranging from startups to Fortune 50 enterprises. Additionally, Los helped to write the first release of the Open Web Application Security Project (OWASP) testing guide. Prior to joining HP, Los led the web application security program and served as a security lead at General Electric (GE) Consumer Finance. Los also worked with GE Power systems, leading security engineering, architecture and building the web application security program. Before GE, Los helped build a service-oriented security consulting company and was among the first 25 employees in a successful financial-based startup, leading internet-facing systems and security management and architecture. Raf received his B.S. in Computer Information Systems from Concordia University, River Forest, Ill.


Follow Us
Guidelines
Follow the White Rabbit on Twitter! Home