So this article made my Friday! I tracked down the actual site where the sites are for sale. All joking aside. this is serious. These sites are trusted sites by a large amount of people; especially the Army sites. Those sites give attackers direct access to DoD internal networks. This just underscores the importance of application security and how much work we have ahead of us.
The FAA has performed a security assessment of 70 of their web applications and found a large number of vulnerabilities. This doesn’t come as much of a surprise because most government agencies have not cracked down on software security. Besides the vulnerabilities, there are two things that bother me:
1. No Static Analysis – In the methodology section of the memo, it looks like KPMG only used penetration testing for this assessment. I’m not looking to start the typical static versus dynamic testing debate, but I was surprised that static analysis was not a component of this assessment. Automated penetration testing relies on the tool being used to find the vulnerabilities. Depending on the application, this type of testing could miss some critical vulnerabilities. Static analysis provides deeper analysis and can find vulnerabilities not detected by penetration testing tools. Not to mention, using static analysis early in the SDLC will decrease these vulnerabilities before they are released.
2. Separate Standards – In the memo, the writer mentions that the FAA uses “DOT Secure Web Application Standards”. The DoD has their standards, the DoT has their standards, NIST has standards, NSA has standards, etc. There really should be a standard that is applied to all agencies with a mandate from the President. Cybersecurity affects all agencies and we should all be on the same page.
It seems that Obama is taking a stand on cyber security and I hope they take this the right way.
There’s a good post over at ha.ckers.org that list some live sites that you can use to practice exploiting vulnerabilities. In addition, you could probably use demo.testfire.net. The site was created by Watchfire to test AppScan, but you could also use it for light testing.