Understanding Technical vs. Logical Vulnerabilities
by Jeremiah Grossman - Founder and CTO of WhiteHat Security - Article originally appeared on SearchAppSecurity.com
On Nov, 11, 2003, the chess-playing machine X3D Fritz tied grandmaster and former world champion Garry Kasparov in a four-game match. In this classic contest of Man vs. Machine, X3D Fritz performed so impressively that the game was heralded as a victory for artificial intelligence. X3D Fritz's powerful play was achieved by calculating millions of moves per second accompanied by gigabytes of stored positions. Each time Kasparov moved a chess piece, X3D Fritz would analyze the board by drawing upon its vast knowledge base to select the best possible move.

What do chess, the world's most dominant computer chess machine, and Garry Kasparov have to do with Web application security?

For many years, security professionals have thought there would come a day when technology alone could identify all Web application vulnerabilities and prevent all attacks, eliminating the need for the Kasparovs of the world. What we've come to understand is Web application security is a fundamentally different game than chess, or even network security. It's highly unlikely that machines will ever replace man completely in the process of assessing Web site security. What's important to understand is why.

Chess is a straightforward game. The board presents a finite number of legal moves and a limited amount of end-game positions. With chess it's mathematically possible to calculate every move that may result from a given position and further "n" moves into the future. Since the game itself is defined and finite, although granted extremely large, the path to victory can be completely automated and followed precisely. Eventually computers will win at chess every time rather than settling for a tie.

Web sites are at the opposite end of the spectrum. They maintain an open door policy with regard to user interaction, rarely following Internet standards, and never operate the same way twice. Simple tasks such as shopping online or Web banking are drastically different functionally and architecturally. Web application vulnerability scanners operate in a complicated environment where the end result of a process is anything but obvious.

Web application vulnerability scanners depend on the relative predictability of Web sites to identify security issues. Using a loose set of rules, scanners function by simulating Web attacks and analyzing the responses for telltale signs of weakness. From experience, we know how a Web site will normally react when there is a security issue present. We know that if sending a Web site certain meta-characters produces a database ODBC error message, a SQL Injection issue has likely been detected. At WhiteHat Security we call these "technical vulnerabilities" and scanners have become fairly proficient at identifying them. But as Web sites become increasingly sophisticated, yesterday's telltale signs are today's false positives. As such, we're not guaranteed that a specific result necessarily indicates that a security issue is present. This has made the automated process of finding simple vulnerabilities hard -- and finding difficult ones impossible.

Consider the following example. If we visit a Web site and are presented with the following URL: http://example/order.asp?item=50&price=300.00


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th