Web Vulnerabilities Create New Opportunities for Web Security Professionals

A new report by WhiteHat Security identifies the top 10 web vulnerabilities most likely affecting organizations today. The quarterly WhiteHat Website Security Statistics report, based on data obtained from January 1, 2006 to July 31, 2007, focuses on previously unknown vulnerabilities in custom web applications on real world websites. "We used real customer data from our clients, including banks, e-commerce sites, and health operations," says Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. According to the report, the top ten vulnerabilities are:

• Cross-site scripting
• Information leakage
• Content spoofing
• Predictable resource location
• SQL injection
• Insufficient authentication
• Insufficient authorization
• Abuse of functionality
• Directory indexing
• HTTP response splitting

"We rated the top 10 web vulnerabilities based on the likelihood of these happening and the companies need to prioritize," says Grossman. Since the company's last report in April, there has been a noticeable increase in the number of technical vulnerabilities classes found. According to the report, "This can be directly attributed to the discovery of new attack techniques and our improvement in vulnerability identification technology." THE IMPACT ON THE IT EMPLOYMENT MARKET Grossman realizes the need for more IT professionals. "With over 140 million websites worldwide, there is a need for more help. WhiteHat Security hires QA development types because not all are well suited at web security and we prefer to train our own staff in our own way. For our operations staff we look for people with math and/or software development backgrounds, but most importantly an adept analytical attitude because the concepts we routinely deal with are sophisticated and abstract," says Grossman. IT security existed 10-15 years ago, but today there is significantly more emphasis placed on security, says Thomas Sweetman, chief operations officer at Productive Data Solutions, a staffing firm. "15 years ago, security was more of an after thought where as today it is more a part of the pre-planning phase to development. The more sophisticated systems we get, the more they're hacking into, and it's up to more individuals to put up the defenses from taking place," adds Sweetman. Grossman acknowledges is it a challenge to fix the problems found throughout the Web. "We are trying to find the issues. It's our challenge to fix the problems but in order to do that we must know what the vulnerabilities are. There are so many on the web right now we can't fix it all overnight. That's why we need to find types of techniques that will help solve those [problems]." CHALLENGES WEB SECURITY PROFESSIONALS CAN EXPECT According to the report, cross-site scripting (XSS), information leakage, and insufficient authentication are among the top three vulnerabilities affecting the IT industry. XSS, found in seven out of 10 websites, can be harmful to businesses as well as consumers. The report states "New attack vectors employed are responsible for highly effective phishing scams and Web worms that are resistant to commonly accepted safeguards." Information leakage, found in five out of 10 websites, can be equally hazardous to businesses because it can reveal sensitive information that can lead to the website being compromised. Information leakage occurs "when a website knowingly or unknowingly reveals sensitive information such as developer comments, user information, internal IP addresses, source code, software versions numbers, error messages/codes," the report states. Sweetman acknowledges that information leakage is a common problem. "I see some form of breach from banks to credit card companies—it's the world we live in. To have a site compromised is damaging to our reputation as well as to the actual data from clients." Another web vulnerability affecting the IT industry is insufficient authentication. It is found in one out of six websites and is prevalent in financial, healthcare, and general content management systems because many websites serve content or execute functionality without first authenticating a user, which can allow the attacker to gain unauthorized access to protected sections of a website. With the rise of new attacks and vulnerabilities on the Web, Sweetman and Grossman both agree that there will be more opportunities for IT security professionals. "We went from the IT market in the '90s, when there was a high demand for IT and high paying jobs, to Y2K, when many professionals were laid off, and less people went to college with degrees in the IT field. Those people in the workforce left the market to pursue other fields outside of IT," says Sweetman. Sweetman sees the potential in the IT market for growth. "Now there's a void in the market because we have the people with 2+ years of experience compared to the people with 15+ years of experience who survived the downturn of the market, and who will retire in the next 15-20 years," he explains. With the experienced IT professionals retiring in the near future, Sweetman is hopeful that there will be more job opportunities in the IT market. "Over the next 30 years, 80 million people in the United States will retireout of 360 months, that's 225,000 jobs created monthly to replace the workforce. We will see a significant shortage of workers across all technology fields," says Sweetman. Additionally, Grossman predicts there will be growth in the application web security field. "Application web security is a large gap that has been ignored by the industry and will pick up." HOW COMPANIES CAN OVERCOME THE EMPLOYMENT GAP Sweetman recommends that the education system improve to take on more people and encourage people to join the IT field where there is high demand. "It will get even higher," he says. "Secondly, it's up to companies to develop their employees, giving them hands-on training, and investing in their futures and encouraging them to continue their educations, and plan to train their internal staff, and invest in their leadership skills, which will in turn, help them lead people," says Sweetman. Education is important, as well as training, states Sweetman. Grossman agrees. "Everybody needs to keep up with vulnerabilities and create battle plans through asset tracking, measuring security, education, development frameworks, and defense-in-depth [by which we] throw up as many roadblocks to attackers as possible." Lastly, Sweetman recommends there be more allowance of H-1 visas in the U.S. "The more we limit H-1 visas, the more shortage of technology and engineering professionals we will have. We need more [H-1 visas] otherwise, there will be a shortage of workers and we'll have to send more work overseas. We need IT workers to do what needs to be done to take care of the here and now," says Sweetman.