Intology – Intelligent Technology News
Computers Technology Internet Arts Business Science Sports

On the subject of web application security and testing, Intology sat down with Yousif Yalda, founder of Vulnerability Assessments and Penetration Testing (www.vapt-sec.com). He is a former Kaspersky information security officer and has wide experience in this field.

V.A.P.T. is a new starting provider of web application security services. It develops useful, easy-to-use, cost-effective solutions that enable companies to secure valuable customer data, meet federal compliance standards, and maintain customer confidence.
Let’s get started!

Inology
First of all we would like to thank you for taking the time to talk to us.
Our first question is: what is your opinion on the overall state of web application security in the world?

Yalda
Thank you, it’s my pleasure. Currently, I believe we are facing issues that exist mainly on the state of web browser security. We have not found a solution (during the time of this writing) that has successfully eliminated the attacks of phishing or CSRF (Cross-Site Request Forgery) completely in a whole.
These attacks use the browser to perform their danger and the client (user) only faces a URL to work with. In other words, a URL can be quite confusing to determine if an attack derives from it, especially if it has been encoded in a format that a common user has no knowledge in understanding. We would like for every consumer to understand and be protected from such attacks, but that is not going to happen anytime soon. There are a few solutions you can implement to prevent both attacks as much as possible.

Firstly for phishing, you should try to analyze every URL you visit, or will visit, so that you may know where it is really taking you. Using Firefox, is one of the easiest decision you can make to help prevent these forms of attack. Currently it cannot be stopped 100%, but Firefox does try to discover patterns in the attack, and alert you if an attack is suspected. CSRF can be prevented by simply downloading an add-on to Firefox called ‘No Script’.

This will help prevent against both XSS (Cross-Site Scripting) and CSRF attacks by stripping the parameters out of any POST request generated by a suspicious site. I’ll leave the technical stuff out, because that’s for us to take care of. As for the consumers, just follow those steps and you’ll be safe for what you can do currently. Additionally, people still continue to believe that XSS is not of any concern or nuisance to the dangers of online usage. We have yet to recover from that, but since popular websites receive these attacks, people should start becoming a little more convinced. Not too long ago, did presidential candidate Barack Obama’s blog, get hit with XSS. (Read here).

It’s that precise ignorant behavior that leads these attacks. Also, since AJAX is using user-generated functionality, then we shall also expect to hear about user-generated issues. I’ve discussed about this issue in AJAX’s technology previously in my blog post (http://yousifyalda.blogspot.com/2008/02/organized-crime-20.html).

Intology
For what organizations is web application security a concern?

Yalda
Everyone should consider web application security. Large corporations and small-medium Company’s/websites are in need of web application security more often than the rest. Personal websites should seek the same kind of treatment, preferably in an appropriate context, and not so much of an in-depth analysis security test. All websites need it simply because it has to do with reputation, credibility, and brand.

It’s important to remain a well-respected organization by not dishonoring your users’ online experience by undergoing maintenance due to a security breach. It’s also vital that anyone who seeks for recognition for whatever the cause may be, whether it’s developing research, or simply building a web presence, continues to do so without facing humiliation through the means of disruption of service. Plus, if a brand provides a product and/or a service, then it’s fair to say that if it has been compromised, it will be less-trusted, and thus decrease consumer confidence and furthermore degrade the company’s value in production.

Intology
What are the different methods hackers employ to break into an application?

Yalda
Well, the main issue we have today that allows hackers to escalate their forms of attacks, is user-input. A vast majority of the vulnerabilities and exploits today come from the fact that developers write code that trusts user-controlled data. We must treat every input as evil, as we should not expect that every user has positive intentions. We must either deny certain input, or block it and further process it safely. Hackers use tools and modify the data they find on behalf of themselves to further understand the inner workings of an application.
Hackers may use brute forcing to rapidly find login credentials to access data, trick users into entering their login information, or guess for a “hidden” directory within the website, and find sensitive information to gather and later use to craft their attacks to gain even more access, and possibly abuse that privilege(s).

Intology
What services does V.A.P.T provide and how it differs from other providers?

Yalda
We provide web application security and penetration testing. We use this process to find vulnerabilities and exploits within a web application and an operating system to determine where flaws exist, and then we venture to patch those insecurities. We differ from other providers because we don’t depend solely on tools to find issues, rather deploy manual techniques in affiliation with automated tools to grasp a scope as the total solution for web application security.

Furthermore, we provide SE (Social Engineering) prevention and training. Since hackers don’t depend on technical resources entirely, they may just call in to simply ‘ask’ for the data. We help to test against organizations in an effort to find the weakest employees that are most vulnerable to providing information that should otherwise, not be allowed to disclose of. V.A.P.T. provides training to employees at organizations who need to understand how to handle potential social engineer attacks and identify who may be trying to con their way to sensitive information.

Intology
What exactly is penetration testing?

Yalda
Penetration testing is a process of assessing security of a computer system or network by constructing an attack by a malicious user, in some cases, a hacker.

Intology
How to check if an organizations’ web security has been compromised?

Yalda
Allow for continuous security assessments daily, yearly, or every time code changes. As part of V.A.P.T.’s security solution, we seek to provide clients an additional 3 months of unlimited security assessments after subscription to either a full-blown penetration analysis of Black box testing or White box testing. You should also purchase WAF’s (Web Application Firewalls), and Anti-virus products to eliminate the threats of malware, spy ware, worms, trojans, viruses, and other un-wanted bugs. Also, changing passwords periodically is a great system in place for security.

Intology
Where do you think organizations normally lack in terms of web security? What are the main areas they neglect?

Yalda
Organizations hire developers who don’t implement a security cycle in safely processing and storing information. Rather, they continuously push code in the form of massive functionality, instead of handling user input in a secure manner. Also, they tend to ignore people who report security issues, and thus shove away the security reporter to publish the problems to the public. Another problem is choosing who has access to what information. They also put aside the fact that most of the time when security researchers report flaws; they are doing you a favor. Instead, some company’s will prosecute you and take legal action as if you were causing harm.

Intology
How are you evolving in terms of new techniques like AJAX?

Yalda
V.A.P.T. has staffs that are experts in understanding AJAX and know how to defend against its flaws. V.A.P.T. uses White box testing as a process to find and cure mistakes made by performing code overviews, debugging, and path testing for input and output. We modify data in terms of values, parameters, and strings to make sure the data is handled securely. We also consult in providing tips to allowing for dynamic content to stay user-generated to keep features in availability, but not to be abused in any fashion.

Intology
Is there a benefit of implementing web application security early in the development stage?

Yalda
Yes, SDLC (Systems Development Life Cycle) is a great approach to the defense mechanism layer in developing software. They map out the foot prints needed to be constructed and analyzed before being released into use.

Intology
Are there any particular standards you follow?

Yalda
I always use Firefox for the most secure online experience. I tend to make daily back-ups to ensure all my data will be kept safe. I don’t follow links to e-mails I do not trust, and double check the URL provided. I also use Mozilla Thunderbird and its filtering behavior to securely check my e-mail using SSH communication. My passwords are highly mixed with all sorts of characters including numbers, letters, ascii, and are case-sensitive, and of course long in length. Additionally, I disable unnecessary protocols, applications, and services that are not in use.

Intology
Where do you see web application security ten years from now on? How will it change?

Yalda
I cannot predict that sort of change since it’s quite some time, but hopefully it will evolve for the good, and maybe required effectively. The years to come will push more research and deliver more innovation through automation, and I’m inclined to think that attacks will decrease with more help from the media for recognition of the issues, and the overall number of vulnerabilities will slowly decrease in websites.