Many news reports have recently identified the increased threat to web sites and applications from SQL injections, the most recent example being the Nihaorr1 script that resulted in over 600,000 sites being infected even including the and the UN. Although initially identified as a Windows IIS server vulnerability, the root cause of the recent exposure goes beyond IIS and has identified lax web application coding as the culprit. A Register interview with the DHS assistant secretary for Cybersecurity is quoted as saying ” our networks are only as strong as the weakest link ” which makes sense but also identifies how vulnerable web applications are on the web. If a company is relying on the variability of programmer security knowledge and limited QA testing to protect their web app from yet to be defined threats, it‘s no wonder that so many sites are exposed and hacked.
Perhaps one of the ways to better protect an organization from the next undefined attack is to look at minimizing the impact of variability. A common best practice in the manufacturing industry is to evaluate every process and implement techniques and tools to reduce variability so as not be overly dependent on a final test or inspection which always has some level of escapes. This is the core of the Six Sigma technique that many world class manufacturers utilize to improve product quality.
As applied to IT protecting Web Applications, a tool that can be implemented to reduce the impact of programmer variability is to utilize a Web App firewall such the positive security model feature of the NetScaler Application Firewall. This feature recognizes best coding practices for HTML and Industry HTTP standards and automatically blocks Web App behavior and variations outside a known-good model. The result is a significant reduction in the risk created by variable programmer skills and expensive but incomplete QA testing. In the specific example of the Nihaorr1 attack, a validated that the NetScaler Firewall was indeed able to block the Nihaorr1 script using the default configurations. Additionally the learning features of the App Firewall can be used for more granular configurations and protection as well.
So before the next threat to your web applications is discovered, it may be worth further investigation as to the human influence of variability in IT operations and consider steps to mitigate the risks.