Shostack + Friends Blog Archive


Application Layer Vulnerability, an Orientation Issue

Richard Bejtlich comments on a new “@RISK: The Consensus Security Alert“, which starts:
“Prediction: This is the year you will see application level attacks mature and proliferate.” He says:

You might say that my separation of OS kernel and OS applications doesn’t capture the spirit of SANS’ “prediction.” You might think that their new warning means we should focus on applications that don’t ship with the “OS.” In other words, look at widely deployed applications that aren’t bundled with an OS installation CD. Using that criteria, “application attacks” are still old news.

I think that Richard is both right, in that there’s no big technical shift, and wrong, in that the attacks will mature. As I said a few days ago, the attackers will become more clever in using the attacks to make money. There’s also a perception issue, a blowback, if you will, of the success of database-driven vulnerability scanners like ISS and Nessus. These scanners are very effective at finding instances of the sorts of vulnerabilities that get CVE entries. They are less effective, if they even try, at finding vulnerabilities in your locally developed application. Here tools like those from Kavado and SPI Dynamics do much better. Rather than working from a database of flaws, they inspect a web application for classes of flaw, by running attacks against the site in a controlled way. So the success of the database-driven scanners is that people think that they can run those scanners and learn how an attacker can get in. And that’s correct. But no tool will give you a complete list. And so I expect that what the SANS folks are talking about is a rise in attacks against the business infrastructure, rather than the technical infrastructure. If they’re not, they should be.