Defense-in-depth is a cornerstone of any information security strategy. Corporate networks are routinely segmented into various zones such as “public”, “DMZ”, “extranet” and “intranet” to contain sensitive information deep within several protection domains. Failure of one control should not compromise the entire system.
Defense-in-depth is everywhere. Border routers filter spoofing attacks. The firewalls behind them enforce specific network (and sometimes application) controls. IPS/IDS systems monitor numerous operational parameters. Sophisticated log analysis and alerting tools are being deployed. Everything from the HR hiring procedures to the workstation anti-virus update procedure forms a part of this layering strategy.
Yet while IT and security professionals are becoming adept in designing sophisticated fortresses to protect ultra-secret corporate data, sometimes they completely forget to protect their customers.
Defense-in-depth as practiced today protect bad stuff from coming in, but not bad stuff from going out.
You see, the Solvay public website is more or less just a “brochure-ware”. It doesn’t have credit-card numbers. It doesn’t contain Solvay’s trade secrets. A lowly XSS attack like the above wont compromise any Solvay databases. It’s not worthy of a fix.
I can, however, use the above XSS to phish Solvey customers into giving up their confidential information. Or create a fake press release to manipulate Solvay’s stock price. I’m sure Solvay’s investors wont be very happy.
A simple XSS bug might be “harmless” by itself but can form a powerful attack when combined with other techniques, both technical and non-technical. It can be a malicious “first-step” used to exploit other weaknesses in the system. Fixing simple problems like this should be part of any layered defense strategy.
Solvay, by the way, makes chemicals and pharmaceuticals, like industrial hydrogen-peroxide, equally useful in hair-bleaching and bomb-making.