No Breach, No Foul
Businesses may not be required to fix vulnerabilities on their Websites - until it's too late
October 17, 2007
If you find a new security vulnerability on your Website, do you have to fix it? Not necessarily.
As long as the vulnerability isn't detected in a compliance audit scan, or doesn't get exploited by an attacker, a business could theoretically just sit on a Website bug -- either for cost reasons, a lack of resources, or ignorance of its implications, security experts said this week.
If you look closely at existing security regulations, there's really nothing stopping a Website owner from merely blowing off that newly discovered cross-site scripting (XSS) bug. "No harm, no foul," says Rich Mogull, founder of Securosis LLC, an independent security consultancy. "To my knowledge, nothing requires you to fix a vulnerability."
But such oversights could be bad news for the Web. Security experts are already forecasting a Web security meltdown, as the bad guys begin setting their sights on the abundance of vulnerabilities tucked into Websites. Nine out of 10 Websites harbor serious bugs, according to a new report from WhiteHat Security, with cross-site scripting (XSS) and data leakage at the top of the list. (See Grossman: White Hat, Blue Belt.)
"We've built a foundation for e-commerce that was not designed for any inherent security, and we're pushing the Web to do things it never did before. And in the process, that creates a lot of opportunities for different kinds of exploitation," Mogull says.
Security and legal experts agree that regulations such as PCI-DSS and Sarbanes-Oxley just haven’t been sufficiently tested yet to determine if they have enough teeth to ultimately force businesses to fix every bug they find on their Websites.
Conversely, the laws are relatively clear when it comes to an actual attack that exploits a known vulnerability. "You will be sued. If you haven't fixed it, you're going to pay a lot more money" in the end, says Scott Kamber, managing member of New York-based law firm Kamber & Associates. Kamber says most cases he sees are being settled, since no company wants to have to argue in court that they weren't obligated legally to secure their Website adequately.
"That argument is a disaster," he says. "Nobody wants to be the test case here. If a company knows it has a vulnerability and still represents to its employees or customers that its network is secure and it's doing all it can to keep it secure, that would trigger liability. It's a misrepresentation."
Jeremiah Grossman, CTO and founder of WhiteHat Security, says security pros are often looking for some leverage to convince their Website developers and the business side to invest in better Web security. "Developers aren't listening, business isn't listening. [Security pros] are asking if there's a legal lever they can cite to force them to do the right thing," he says.
Trouble is, the enforcement of some of the regulations is weak and untested as well. "PCI is a pretty good standard, but there's little enforcement of it. A merchant is incentivized to use the lowest cost security vendor to find the least vulnerabilities... to look the other way," he says. (See Retailers Still Lag in PCI Compliance.)
Bob Russo, general manager of the PCI Security Standards Council, says if a Website is PCI-certified, the owner must fix any newly found vulnerabilities. "You could be certified today for a scan and something else comes along tomorrow and then you could be out of compliance," he says. "You need to be compliant at all times... It's certainly implied that you are fixing the stuff you are finding."
If a quarterly scan were to show new vulnerabilities, the company would have to fix them to remain compliant, Russo says. "The regulation says if you are not compliant at the time of a breach, you are responsible for any penalties and fines. If you are breached, you must be found to be compliant at the time of the breach."
And Russo says so far, PCI seems to be working: "To our knowledge, no one that's been [PCI] compliant has suffered a breach so far," he says.
The bottom line -- whether you're under PCI or not -- is that knowingly harboring vulnerabilities in your Website is risky business, especially if you store sensitive customer or employee data. "It's getting harder and harder for companies to keep [vulnerabilities] a secret," says Kamber, who specializes in cybersecurity law. "Sooner or later, a vulnerability will be exploited, information will be leaked, and systems will be damaged, and somebody's going to find out about it."
Still, there are big loopholes in today's security regulations. "If [a Website] is breached in a way you can't detect or can't be traced back to you, you're in the clear," Mogull says. "And how do you know when a particular company is breached? This is the kind of game the lawyers are playing."
And the relatively anemic market for Web application firewalls and other Web security tools is a big red flag that companies just aren't "getting" the dangers of Web security, according to Mogull. "We're not really seeing [a significant] enough investment in Web security, which is a clear indicator that they don't really understand the scope of the problem and don't prioritize it," he says. "There's almost no market for Web application firewalls, and Web vulnerability scanners are still a very small market, although it's increasing. Database monitoring could really help with a lot of these problems, but almost no one deploys them."
And things aren't likely to improve until more companies suffer losses from Website breaches, he says. "When it hits a certain threshold they will start putting stronger security controls into place," he says. "It's a mess right now, and lot of people are going to get hurt in the process."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like