Our friends over at WhiteHat Security created an excellent chart to help people understand how “hackable” their website might be. The graphic is the result of a conversation that Jeremiah Grossman and Robert Hansen had at BlackHat about how it seems like no matter what we do in the security space it is reducible to being insecure/vulnerable in some way or another. According to Hansen,
Jeremiah suggested that I should make a funny graphic depicting how that’s true. Well, that turned out to be easier said than done. As I got further and further into it, I found that it wasn’t really that funny. In fact, it became less-funny and more of a bummer the more I got into it. I know this isn’t perfect or complete, but it gives you an idea of the amazing amount of things you’ve got to get right before you can be sure your site is safe.
The graphic (seen below) represents an excellent starting point for securing applications. In fact, CloudPassage Halo can help ensure that the application stack and application code is properly configured to only utilize secure methods. Administrative access to the web applications and database can also be dynamically opened to only present administrative ports upon successful GhostPorts authorization. The checking of files, such as the referenced crossdomain.xml file, can continuously be inspected for correct file permissions – or even the presence of the file itself.
I do, however, have two updates that I would make to the post (and graphic):
- Change the blog title from “Reducing Security” to “Reducing Attackable Surface Area” as this is what the chart effectively tries to do, and
- Remove the resulting “You are probably safe” end point in the graphic to “You are probably safer than most” as nothing is absolute – especially in the realm of application security.
As Hansen points out in the graphic, not all of the mitigations to protect a website are web application-centric. Sometimes you need to dig below the frost line to secure the foundation.