1. Preface

Roles played by web sites in sales improvement and their ratio are increasingly expanding in organizations' business. The functions and convenience of web sites have significantly improved to meet users' needs and diversity of their usage. Web payments have become common nowadays and the amount of damage and the scope of impact caused by unauthorized access to such web sites are expanding.

Unauthorized access and tampering at numerous web sites have been given large coverage in the mass media since around November 2007. Once such an unauthorized access incident occurs, the organization is forced to take measures and accept a large loss such as for recovery of the web site, apologies and compensation to the customer. Therefore, "to improve web site security" is an important measure to survive the intense competition in the Internet business these days.

This report explains issues with web sites and security measures for organizations as well as the trend analysis of web site security measures based on results of the security assessment service conducted by NRI SecureTechnologies, Ltd. (hereinafter NRI Secure) in the fiscal year 2007 and results of same services in the past.

2. Research Outline

NRI Secure conducted a security assessment service (web application security assessment) on 169 web sites in the fiscal year 2007 (April 1, 2007 - March 31, 2008).

These 169 web sites are operated by 48 organizations of the business types indicated in figure 1. The business type is taken from the client organization, where the site development and operation are outsourced. Also, the total number of web sites has been summed into the business type when the security assessment was conducted on multiple web sites in one organization.

Figure 1: Breakdown of the assessed web sites by business type

3. Web site security situation as the results of security assessment
3.1 Critical flaws found in 41% of web sites

Summarizing results of the security assessment in the year 2007 confirmed that unauthorized access to sensitive information such as other users' private information was possible in 41% of web sites. Also, while unauthorized access to sensitive information could not be confirmed, flaws which could lead to information leakage were found in 30% of sites. Figure 2 shows the annual change of the assessment results. While no drastic change has occurred in the ratio where the site contained fatal flaws, the ratio of secure web sites is certainly increasing.

* "Sensitive information" in this report indicates information whose access should be restricted to specific legitimate users with consideration to the web site's features. For example, passwords and private information, the account balance for financial sites and the order history for shopping sites.

Figure 2: Web site security assessment results by year

The slight increase in the number of safe web sites should imply the increased number of organizations where security measures are established. An organization which conducts security assessment repeatedly, will realize that the total rectification costs are lower if various security measures are applied at an earlier stage of the development process rather than detecting flaws through security assessment and correcting them afterwards. Such organizations use security assessment as the final check to assess if their security measures deployed in the web site implementation process are functioning effectively.

However, there are numerous cases where the effort failed to eliminate all flaws. Difficulties of eliminating incomplete measures are represented by the fact that the ratio of web sites whose sensitive information could be accessed has not decreased through the past four years. One of the causes is the increasingly complex system development environment such as demand for speedy development, linkage and integration of multiple systems, development by multiple parties, and deployment of new technologies. It is hard to thoroughly confirm web site security measures without any omission unless a systematic approach is taken. We will introduce security measures taken by organizations with high security awareness later in this report.

NRI Secure presented a proposal of specific measures with the assessment results to organizations whose web sites contained security flaws, and strongly recommended that they apply the measures immediately. As a result, we assume that the most of these web sites have applied the appropriate measures and are now secure.

3.2 "Incomplete measures" are the main cause of flaws

Throughout the years, three types of flaws were commonly identifiable in cases where sensitive information could be unauthorized accessed; "spoofing by abusing insufficient checks (hereinafter spoofing)", "accessing administrator interfaces by privilege escalation (hereinafter privilege escalation)", and "database manipulation by SQL injection (hereinafter SQL injection)".

Figure 3: Detection ratio by security flaw

Among these security flaws, the ratio of detecting "spoofing" has been decreasing since the year 2004. This is due to the fact that points where spoofing may occur can be determined to some extent, and once the problem is recognized measures can more likely be applied without omissions in subsequent updates and new developments than for other security flaws.

There have been no major changes in the detection ratio of "SQL injection". As of the previous year, measures have been applied on most sites; however, there were many cases where the application of the measures had been omitted on some specific pages. On the other hand, the detection ratio of "cross-site scripting" has slightly increased compared to the past three years. This security flaw was also in most cases caused by omissions of application of the measure in the same way as "SQL injection".

There were cases where additional web pages in an minor update ?after the initial flawless release contained security flaws. Such cases confirm that the most important theme in approaching these issues is how to prevent omissions during application development and maintenance phases over the long term.

Figure 4: Ratios of overlooked measures where SQL injection or cross-site scripting was present

1. Spoofing by exploiting insufficient checks
   This is a security flaw whereauthorized users are able to unauthorized sensitive informaton after he/she logged in with certain means. For example, assuming the case where a shopping site has a function to show the order history, and the internal "order ID" is transmitted from the web browser to the web site when the user is displaying details of his/her order history. In such cases, it is common to see spoofing by manipulating the internal "order ID" and impersonating others to access unauthorized sensitive information (other personfs order history, etc.).
2. Accessing administrator interfaces by privilege escalation
   This is a security flaw where privileged operations such as administrator interfaces become available byexploiting system vulnerabilities, regardless of whether the intruder is logged in as a general user or not even logged in. Administrator interfaces usually include a number of functions to access confidential information such as to display a list of registered users' private information; therefore, such unauthorized access is highly likely to result in serious damage.
3. Database manipulation by SQL injection
   This is a highly dangerous security flaw where unauthorized acquisition of information accumulated in databases and execution of any commands on servers become possible by executing unexpected SQL statements by a web application. This type of attack has caused damage in numerous sites in Japan since around the year 2005 and incidents of global scale damage have been reported since November 2007.
4. Execution of malicious scripts using cross-site scripting
   This is a security flaw where displaying false pages and acquiring Cookies become possible by executing malicious scripts on the user's web browser using a method called cross-site scripting. However, in order to abuse this security flaw, a few prerequisites must be satisfied such as tricking a user into accessing a forged URL. Therefore, sites where this security flaw was found are categorized into "Possibility of information leakage" rather than "Unauthorized access to sensitive information possible" in this report.

3.3 Trend of web sites which underwent security assessment for the first time

NRI Secure analyzed web sites of organizations which underwent our security assessment for the first time (hereinafter new clients) in the year 2007. As a result, unauthorized access to sensitive information was successful in 54% of web sites. This is significantly different from organizations which have undergone NRI Secure's security assessment previously (35%).

* New clients in this report represent organizations which underwent security assessment by "NRI Secure" for the first time, and they may have been assessed before by other parties.

Figure 5: Web site security assessment results by organizations' assessment experience

Information regarding threats on web sites and measures for protection is widely available on the Internet nowadays and it has become comparatively easier for organizations to collect information by their own efforts to implement a safe web site. However, it is not easy to confirm if the implemented web site is secure enough to withstand attacks using the latest methods.

Therefore, there is a limit on how far an organization can proceed with its security measures on its own, since it is highly likely security flaws are unintentionally built-in or overlooked.

Figure 6: Detection ratio by organizations' assessment experience

The detection ratio of major security flaws shows that "cross-site scripting", "SQL injection" and "spoofing" are found on many web sites owned by organizations which underwent security assessment for the first time. Especially the "SQL injection" flaw was found in 39% of new clients which is more than twice that of organizations with assessment experience.

However, with regard to "SQL injection" in new clients, only a small number of web sites are completely lacking measures. Rather, measures have been applied to some extent, but frequently limited on parameters directly entered by users, or on queries to databases; therefore, achieving only incomplete protection. This indicates the situation where organizations are aware of the existing cases of "SQL injection" attacks and measures, but are having difficulty in determining how far the measures should be applied.

3.4 Business systems are liable to security holes in privilege management

This section divides the assessed web sites into "member's web site", "Inquiry web sites" and "business systems", and compares their detection ratios of major security flaws.

Figure 7: Detection ratio by provided services

The detection ratio of major security flaws by the provided service shows "privilege escalation" is singularly high in business systems. The reason being is that privilege management must be implemented for business systems in many cases to restrict accessible functions according to the user's authority. Whereas "cross-site scripting" and "SQL injection" are common problems among other systems and it is easier to understand their attacking methods and measures against them; therefore, the ratio remains more or less the same. However, in many cases privilege management must be implemented uniquely on individual business systems but many seem to be applied with only superficial measures such as to adjust displayed menus according to the user's authority without enough consideration on the abuse of the security flaw.

This security flaw should be handled cautiously since this may lead to a secondary crime such as creating an unauthorized user account to be used for illegal activities once privilege management is jeopardized.

Also, inquiry web sites should be equipped with the security level equivalent to large scale web sites since users' private information is stored in many cases though their size is generally small.

* Detection ratios for "spoofing" and "privilege escalation" are 0% since these sites do not have user authentication and privilege management functions.

1. Member's web site
   These web sites assume access from general consumers and are equipped with a user authentication function using passwords. These include Internet banking (banks) sites, shopping sites, etc. They are relatively large in size.
2. Inquiry web site
   These web sites assume access from general consumers without a user authentication function. These include questionnaire sites, query sites, etc. They have a simple structure and are relatively small in size.
3. Business system
   These web sites assume access from the parties concerned such as trading counterparties rather than general consumers. In most cases they are equipped with a user authentication function using passwords. These include call center systems, order management systems, etc.

3.5 Trend of web sites for mobile phones

This section divides the assessed web sites into web sites for mobile phones (hereinafter mobile sites) and web sites for PCs (hereinafter PC sites), and describes the trend analysis on major security flaws detected in mobile sites. The subject web sites include online shopping, online trading, online banking, and financial product contract sites for mobile phones.

Figure 8: Detection ratio of PC sites and mobile sites

The detection ratio in mobile sites is lower than that in PC sites for most security flaws. The reason is considered to be their screens being implemented with the minimum necessary functions with consideration to mobile phones' visibility and operability to make the operation easier on a small screen, without incorporating multiple functions within a screen like those in PC sites.

However, on the other hand, detection ratios for PC sites and mobile sites are reversed for the "predictable session ID" flaw. This security flaw was found in 25% of mobile sites and it considerably exceeds the detection ratio in PC sites (10%).

• Special attention required for "predictable session ID" in mobile sites

  This is a security flaw where "spoofing" access becomes possible by guessing other user's session IDs (information used to identify the user) based on the session ID issued by the web site after a successful log in. There is a risk of "spoofing" and unauthorized access to the web site when the issued session ID has some regularity or poor random element.

  The reason why a "predictable session ID" is detected in many mobile sites is the restriction on the character length of URLs. Mobile sites often deploy a method which transmits the session ID by including it within the URL. However, there is a restriction on the amount of data used by the URL; therefore, sufficient length of random digits cannot be included in the session ID. Also in some cases a predictable session ID was derived from the implementation of a defective proprietary method as the session ID generation logic without deploying security guaranteed algorithms.

  Special attention is also required where a contents conversion server is deployed. Contents conversion servers are devices to automatically convert web content into a mobile phone network carrier specific format (cHTML, HDML, etc.). Some contents conversion servers are equipped with a function to issue their own session ID to substitute the session management in addition to converting the content. In some cases predictable session IDs were issued by defective session servers.

• Surrounding environment of mobile sites

  Many mobile sites are implemented "to be accessed only from mobile phones" by restricting access to those originated from mobile phone network carriers (NTT DoCoMo, au, SoftBank, etc.). Mobile phones suffer fewer attacks since various attacking tools cannot be used on mobile phones in contrast to PCs. However, the improving functionality of mobile phones may eradicate the above restrictions since a method for "spoofing" access to a mobile phone using smartphone has recently been introduced.

  As the proportion of mobile phone access to web sites is increasing, the importance of security measures in mobile sites is also intensifying.

4. Organizations with established security measures are heading to solve the next issue

Web sites with emerging problems due to "incomplete measures" were frequently seen in security assessment in the year 2007. On the other hand, the number of organizations which apply no measures, in other words, organizations who have no recognition of threats and actual attacks surrounding web sites and the necessity of measures, is decreasing. We will introduce several cases of approaches to the common issue of "incomplete measures" taken by advanced organizations for reference by both organizations which are positively taking actions or which are planning actions.

• Upper process implementation is advancing

  Organizations which undergo security assessment repeatedly have established guidelines for design and development and are promoting their application. Providing standards to be conformed to prevents necessary security measures being overlooked such as distinguishing threats, analyzing risks and defining security requirements in the upper process of web site implementation where requirement definitions and design are undertaken.

  However, there are issues in the use of guidelines. Such issues derive from the breakdown of the PDCA (Plan, Do, Check and Act) cycle such as prepared guidelines are not made known or taught, conformity to the guidelines is not checked, newly recognized security flaws are not reflected in the guidelines. Also, if flaws are found by security assessment in a web site which has been implemented along with the guidelines, some of the processes in the above PDCA cycle is not functioning in no small part. This may become the cause of new "incomplete measures".

Figure 9: Management cycle of web site security measures

• Checking source code for effectively eliminating "incomplete measures" at implementation

  It is important to reduce security flaws derived from "incomplete measures" since overlooking just a single high-risk flaw may jeopardize all previous measures.

  Some organizations reported that they have included static analysis of source code into the development process as an approach to eliminate "incomplete measures". Most of security flaws derived from "incomplete measures" are the consequence of implementation issues which have wide coverage since cross-site scripting requires measures in the entire web site and SQL injection requires measures at all functions which involve database queries. These security flaws can easily be unknowingly built-in; however, deploying source code examination tools in the development process can be an effective measure against "incomplete measures".

  Also, if measures for SQL injection, etc. are described in the guidelines, they can be used for checks to see if the guidelines are correctly applied on the source code produced by an individual developer.

• Proving secure programming ability

  Organizations whose operations are largely relying on web sites are trying to achieve their web site security by deploying various methods as the above in the development process. The fact that preventing "incomplete measures" at implementation is a crucial issue, organizations which outsource system development should have the means to assess if the outsourced organization has the ability to develop a robust system.

  While such system developers autonomously train themselves on security issues and make efforts to improve security on systems for customers, an indicator to subjectively evaluate their programming ability would ensure their competitiveness. Some organizations in the U.S.A. require a qualification to prove specific secure programming ability as a prerequisite for handling source code.

  Eliminating "incomplete measures" is also necessary to reduce costs incurred by reworking. However, as it is prone to human error, it is impossible to completely eliminate "incomplete measures"; therefore, it is necessary to approach the issue by taking the stance of a multi-layered defense on the assumption there are always "incomplete measures".

5. Conclusion

Web site trends in this report are a summary of organizations which deployed "security assessment" as one of several security measures. While some organizations are taking advantage of security assessment to accumulate know-how of secure web site construction and advancing their efficient security measures, many web sites are still operating without sufficient security measures and with latent fatal flaws.

A result of a questionnaire conducted by NRI Secure indicated only 20%*1 of organizations are undergoing security assessment on their web applications. Fatal flaws have been found in a high percentage of web sites of new clients as has been described in this report. This indicates that fatal flaws are likely to be present in many web sites on the Internet.

One of the reasons why security measures are not applied may be the notion that "capital should be actively invested into activities which lead directly to profit in order to survive intense competition in the industry". However, considering the current situation where recent unauthorized access incidents are carried out indiscriminately and over a large scale, one's own web site can be a target of the next attack at any time. Therefore, investment on security measures is becoming vital to maintain a stable Internet business.

We believe deploying security assessment to recognize security flaws and risks in web sites is an effective method as the first step towards efficient security measures. We strongly recommend that you reconfirm how well your organization's web sites are secured.

Figure 10: Deployment status of security assessment
(Source: "Organizations Information Security Status Investigation 2007"*2 by NRI SecureTechnologies Ltd.)

Figure 11: Subject of deployed, planned or considered security assessment
(Source: "Organizations Information Security Status Investigation 2007" by NRI SecureTechnologies Ltd.)

*1:64.6% of organizations are deploying or planning security assessment as indicated in Figure 10. Also, 30.6% of organizations which are deploying security assessment are applying the assessment on web applications as indicated in Figure 11. Therefore, a percentage of organizations which are undergoing security assessment on their web sites are approximately 19.8% (= 64.6% x 30.6%) of all organizations.

*2:Results of a questionnaire conducted by NRI Secure in October 2007 on approximately 3,000 organizations which have 300 or more employees, or less than 300 employees and listed in the 1st and 2nd section in the Tokyo Security Exchange.