Jeremiah Grossman Blog – website security hot topics

Clickjacking 2017
June 18, 2009

The future: Long standing Web application security scourges such SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) are finally under control. Remaining buffer overflow issues are considered fossilized evidence of a prior era. Cyber criminals out of necessity have evolved their attack portfolios to include Clickjacking as a preferred method for tricking their victims into propagating malware, defrauding themselves, and initiating other forms a malicious acts. Clickjacking, a long-known and fundamental design problem in the way the Web works, had not until 2017 garnered the respect necessary to be taken seriously. Now with significant damage increasing and loses mounting, the issue has forced website owners and browser developers to scramble for solutions to a problem nearly a decade in the making. Or so the story may go should history repeats itself. Read More ››

WAFs and Anti-SDL Assumptions
June 1, 2009

When someone advocates Web Application Firewalls (WAF), some people mistakenly assume they also must be anti-Security Development Lifecycle (SDL). For myself and WhiteHat Security, nothing could be further from the truth. While WhiteHat advocates the use of WAFs, at the same time what most people do no realize is we also develop a significant amount of mission critical Web code in-house. Our SDL is incredibly important to us because just like many of you we also have a development team responsible for building website(s). Websites responsible for safeguarding and maintaining access control over extremely sensitive data, our customers data. That website would be WhiteHat Sentinel. Read More ››

Mythbusting, Secure Code is Less Expensive to Develop
May 2009

Conventional wisdom says developing secure software from the beginning is less expensive in the long run. Commonly cited as evidence is an IEEE article “Software Defect Reduction Top 10 List” (published Jan 2001) states, “Finding and fixing a software problem after delivery is often 100 times more expensive than finding and fixing it during the requirements and design phase.” Many security practitioners borrowed this metric (and others similar) in effort justify a security development life-cycle (SDL) investment because software vulnerabilities can be viewed as nothing more than defects (problems). The reason being is its much easier to demonstrate a hard return-on-investment by saying, “If we spend $X dollars implementing an SDL we will save $Y dollars.” This as opposed to attempting to quantify a nebulous risk value by estimating, " If we spend $X on implementing an SDL, we’ll reduce of risk of loss of $Y by B%.” Read More ››

Software Security Grew to Nearly 500M in 2008
April 24, 2009

Separate from an economy in recession I’m excited to be a part of market with a healthy, if not impressive, growth clip. Gary McGraw (Cigital) published his Software Security annual revenue numbers for 2008. By combining software security tools, Software-as-a-Service providers, and professional services it comes really close to a half billion dollars. This means a lot to us vendors, their investors, and would be acquires -- for average enterprise, feel free to ignore. Instead focus on the particular solutions you need rather than basing vendor selection on prevailing winds. To do otherwise is similar to buying a house locally based upon national real estate averages. Read More ››

Website Threats and Their Capabilities
April 23, 2009

Vulnerabilities don’t exploit themselves. Someone or something (“threat”) uses an attack vector ( to exploit a vulnerability in an asset, bypassing a control, and causes a technical or business impact. A diagram found in OWASP Catalyst (pg. 28) illustrates the concept exceptionally well. This is important to keep in mind because not every threat exercises the same technical capability or end-goal. Some threats are sentient, others are autonomous, and their methods are different as is their target selection. While I’ve seen many published threat models, I’ve not seen any specifically focused on the nuances of website security (maybe I missed it?). Website security is much different from other forms of software or business models and deserves special attention in the ways it's handled. Read More ››

Quick Wins and Web Application Security
March 20, 2009

Lately I’ve been asking peers why they think comparably few dollars are spent addressing Web application security (by percentage to host/network), which every industry report states represents the largest information security risk. Is the reason that organizations don’t “get it”? Are available solutions ineffective? Do compliance failures need more teeth? Does the market need more time to mature? The answer is crucial, because without funds there is no way to secure the vast majority of insecure websites and we all suffer as a result. A combination of factors is probably a fair estimation, but the more I dig in the more I’m convinced something more powerful and yet mundane hides just beneath the surface. A recent conversation with Joseph Feiman (Gartner) revealed a profound insight. Read More ››

Top Ten Web Hacking Techniques of 2008
March 5, 2009

We searched far and wide collecting as many Web Hacking Techniques published in 2008 as possible -- ~70 in all. These new and innovative techniques were analyzed and ranked based upon their novelty, impact, and pervasiveness. The 2008 competition was exceptionally fierce and our panel of judges (Rich Mogull, Chris Hoff, H D Moore, and Jeff Forristal) had their work cut out for them. For any researcher, or "breaker" if you prefer, simply the act of creating something unique enough to appear on the list is no small feat. That much should be considered an achievement. In the end, ten Web hacking techniques rose head and shoulders above. Read More ››

Who's Who and What's What in Website Security
February 12, 2009

Indirect Hard Losses is an estimation of the decrease in Web transactions of a certain class of customer, specifically those whose security/privacy have been compromised in the past, compared to those who have not. I first learned about this metric from Robert "RSnake" Hansen (SecTheory), but didn’t know it had a name until I spoke with Laura Mather (Silver Tail Systems). Indirect Hard Losses is rarely discussed, though I suspect it is internally measured, but not published publicly. As stated by InformationWeek regarding a Ponemon Institute study on the Cost of a Data Breach, “Customers, it seems, lose faith in organizations that can't keep data safe and take their business elsewhere.” The next logical question is how much? Read More ››

Who's Who and What's What in Website Security
February 2009

When it comes to standards (de-facto or otherwise), guidance, terminology, and nomenclature, Web security is an exceptionally confusing and daunting environment. People frequently ask, “What is the difference between the OWASP Top Ten and WASC’s Web Security Threat Classification.” “How does the new CWE/SANS Top 25 now fit in?” “Which should I use?” Also common are questions about the differences between organizations such as MITRE, OWASP, SANS, and WASC whose scope seem to overlap from time to time. Read More ››

Jeremiah Grossman is a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques, and co-author of the recently published book, Cross-Site Scripting Attacks.Mr. Grossman is frequently quoted in business and technology publications such as InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, SecurityFocus, CNET, CSO Magazine, and InformationWeek.