security assessment of web facing applications
DESCRIPTION
Security Assessment of web facing applicationsTRANSCRIPT
-
Web-facing Applications Security Assessment Tools and Strategies
-
Page 2 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
Businesses are constantly creating web applications that offer improved access to information. However, this online presence has opened the door to new information security threats, and web application security assessments often fall short in their results. Read this expert E-Guide to learn how you can properly assess web application threats and the tools your organization can use.
Web-facing Applications: Mitigating Likely Web Application Threats By: Nick Lewis, Enterprise Threats
Nearly all businesses now cultivate a presence online. They do so not only to
provide information, but also to interact with their customers via Web apps,
blogs and forums. From an online retailer's interactive baby registry, to an
electronic trading site's investment calculator, or a software vendor's
interactive support forums, on a daily basis enterprises are spawning new
Web applications that offer enhanced access to information.
This rapid rise of business-centric interactivity on the Web has, in turn,
brought forth new information security threats that were not previously
present in an organizations static webpages. These threats have been
targeted specifically at Web applications, including supplementary Web
servers, databases and other supporting infrastructure of an organization.
In this tip, we will examine the most urgent threats to Web-facing applications
today and how security teams can make them secure.
Urgent threats to Web-facing applications
There have been a number of recent reports from such vendors as Cenzic
Inc., Hewlett-Packard Co.(.pdf), Imperva Inc.(.pdf), Veracode Inc. (.pdf),
Whitehat Security Inc. (.pdf) and, most recently, Verizon, which assessed
numerous Web application threats facing enterprises today. The two most
common threats to Web applications from all of the reports were cross-site
-
Page 3 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
scripting (XSS) and SQL injection. Both of these threats have been around
years, but Web applications remain vulnerable to them.
Given the prevalence of these incidences and the abundance of tools
available for XSS and SQL attacks, organizations must significantly improve
Web application security before the risk of such attacks can be reduced.
New, less prevalent Web application threats have started to emerge, but
most attacks still exploit these most basic weaknesses.
Making Web applications more secure
There are a couple basic ways for security teams to make Web applications
more secure. This includes improving Web application development and
implementing new tools to help manage new information security risks to
Web applications. These methods complement each other and therefore
should not be used individually without other security controls in place.
Improving Web application development to improve the security of Web
applications should be part of any software or security development lifecycle.
There are many resources on software development lifecycles (SDLCs),
including Microsoft and general resources from DHS National Cyber Security
Division on building security into enterprise software development. Most
relevant to improving Web application security are the focused guides from
Open Web Application Security Project (OWASP), which include the
Development Guide 2010, which discusses secure Web application
development. As a part of an SDLC, users may want to include checks for
the most prevalent threats to Web applications and regularly update the
threat list. All of these tactics can be used to train developers on secure ways
to improve applications to ensure security bugs are minimized, found faster
and fixed faster.
Separately, the other important way to mitigate threats to Web-facing
applications is by implementing new tools to help manage Web application
security. These tools may not be new per se, but for many organizations,
products like Web application firewalls and Web application security
scanners have never been a consideration because they've either been able
-
Page 4 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
to avoid the compliance requirements that call for them, or because Web-
based threats were never a significant concern.
Yet these and other related emerging Web defense technologies can be
used to successfully block Web application-layer attacks and for scanning for
Web application vulnerabilities. Web application security scanners can be
included in your SDLC testing phase or as a standalone project to proactively
evaluate the security of your Web applications. Web application firewalls
inspect Web traffic for attacks on a Web application, often blocking the most
common attacks. To that point, Web application firewalls and Web
application security scanners will not block or detect all attacks or
vulnerabilities, so both tools will need to be constantly updated to detect new
threats.
These tools should extend on your existing controls in place, but you should
understand how the urgent threats bypass many of the traditional security
controls. For example, if you allow HTTP over port 80 through your firewall
to a Web server, your firewall does not typically evaluate if the network traffic
is legitimate HTTP traffic or if it includes potentially malicious SQL code used
for a SQL injection attack. A Web application firewall can inspect the HTTP
traffic and identify and many times block most SQL injection
attacks. Remember, no single security tool or control can protect all of an
enterprises Web applications, although the combination of Web application
firewalls and Web security scanning provides solid protection against the
most common XSS and SQL attacks.
Conclusion
New Web applications that allow organizations to interact with and improve
relationships with customers have brought new information security risks
from old static webpages. Traditional security controls have been largely
ineffective against the urgent Web application threats on their own, but
extending the traditional controls to include Web application security in
SDLCs and implementing new web application security tools will help reduce
the risk of these threats. Those that aren't using these technologies and don't
have plans to do so should carefully weigh the benefits that such applications
afford with the potential dangers of expanding their Web presence online.
-
Page 5 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
Securing today's Web-facing systems against these new threats has become
an essential priority for any enterprise information security program.
About the author:
Nick Lewis, CISSP, is an information security architect at Saint Louis
University. Nick received his Master of Science in Information Assurance
from Norwich University in 2005 and Telecommunications from Michigan
State University in 2002. Prior to joining Saint Louis University in 2011, Nick
worked at the University of Michigan and previous at Children's Hospital
Boston, the primary pediatric teaching hospital of Harvard Medical School, as
well as for Internet2 and Michigan State University.
How to Review Your Web Application Security Assessment Tools, Strategy By: Cory Scott, Contributor
Web application security assessments often fail to produce meaningful
results, leaving enterprise security teams scratching their heads about what
went wrong. Some are quick to blame the tools in use, others blame lack of
application security training and talent in the information security team, and
many cases, the assessment is treated like a checklist item that is given little
time, planning or forethought.
Web application security assessments need to get close enough to the
application to develop a threat model, look for common vulnerability patterns,
and customize their approach based on an evaluation of the technologies
rather than using a one-size-fits-all approach. In this tip, well explore each of
these points.
Does your Web application security assessment start by getting a grasp of
the business purpose and justification for why the application exists in the
first place? Unless you can clearly state what the application requirements
and expectations for performance are, you can't begin to assess it for
vulnerabilities. After all, what may seem like a broken function may actually
-
Page 6 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
be an intended feature; what appears to be sluggish performance may be
perfectly normal.
Don't let the application development team bury you in jargon or cryptic
acronyms; if you don't know what something means, ask. Developers often
forget that the Web application security assessment team is missing context
that has already been established within their group. Get out the whiteboard
and draw out the system as you understand it, and let them correct you or
add that context.
Once you have a good understanding of the application, build a quick threat
model. The following questions will help you to determine which
vulnerabilities have meaningful effects on the application.
Who is likely to attempt to abuse this application? Anonymous users
on the Internet? Your customers? Internal users?
Where is the trust boundary and what attack surface is exposed to
untrusted or semi-trusted users?
What assets are worth protecting? Common assets include the
integrity of the application's data, availability of the service, the
confidentiality of user or company data, or the underlying operating
system or network. Don't forget about client-side threats, where user
sessions and browser integrity can be targeted.
What incidents have taken place in the past and what concerns keep
the application team up at night?
What security requirements were important enough to be
documented, and more importantly, what requirements were
assumed or implied without being documented?
Web applications often share a set of "deadly features" that have a common
and frequent pattern of vulnerabilities that usually are platform-independent.
Things such as file download and upload, custom session management,
-
Page 7 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
authorization and access control, homegrown single sign-on, password
storage and reset mechanisms, email functionality and search functionality
often have critical flaws because of the subtle complexity required to
implement them safely. Make sure you identify these potential problem areas
when you assess an application, as they are likely to require careful
attention.
An assessment approach should be customized to the situation at hand. If
the application is a third-party product where source code is not available,
dynamic vulnerability analysis with tools may be the preferred approach, and
if the application has a high-risk posture, manual penetration testing may be
the logical next step.
Where source is available, work hand-in-hand with the development team to
use source code analysis tools to look for vulnerabilities. Don't just throw
Web application security assessment tools over the wall and ask developers
to run them. Get feedback on each tool's strengths, and invest time in
learning how to set tools up effectively to get sufficient coverage. Quickly
throw out classes of findings that are not relevant to your threat model or
prone to false positives when you first starting using static code analysis
tools to avoid fatigue.
When using dynamic analysis tools such as Web application vulnerability
scanners, make sure the tool "understands" your application as much as
possible, including where all the application endpoints are and what
functionality exists. Too many people rely exclusively on a tool's capabilities
to discover content and test it effectively without verifying the most sensitive
parts of the application are covered.
Manual penetration testing should be considered for high-risk applications,
sometimes in conjunction with code review or dynamic analysis. Leverage
your penetration testing resources to look for things that are difficult to
automate, such as threats targeted at data leakage, authentication and
authorization bypass, and cryptographic vulnerabilities.
-
Page 8 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
When putting this approach together, realize that organizational change
takes time. People that are used to steamrolling through the assessment
process may be hesitant at first to dedicate the necessary time to produce a
meaningful Web application security assessment. A step-wise approach that
shows the value for time spent incrementally will often break down some of
the defensive barriers.
About the author:
Cory Scott is a San Francisco-based director at Matasano Security, an
independent information security research and development firm.
-
Page 9 of 9 Sponsored by
Web-facing Applications: Security Assessment Tools and Strategies
Contents
Web-facing Applications: Mitigating Likely Web Application Threats
How to Review Your Web Application Security Assessment Tools, Strategy
Free resources for technology professionals TechTarget publishes targeted technology media that address your need for
information and resources for researching products, developing strategy and
making cost-effective purchase decisions. Our network of technology-specific
Web sites gives you access to industry experts, independent content and
analysis and the Webs largest library of vendor-provided white papers,
webcasts, podcasts, videos, virtual trade shows, research reports and more
drawing on the rich R&D resources of technology providers to address
market trends, challenges and solutions. Our live events and virtual seminars
give you access to vendor neutral, expert commentary and advice on the
issues and challenges you face daily. Our social community IT Knowledge
Exchange allows you to share real world information in real time with peers
and experts.
What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of
editors and network of industry experts provide the richest, most relevant
content to IT professionals and management. We leverage the immediacy of
the Web, the networking and face-to-face opportunities of events and virtual
events, and the ability to interact with peersall to create compelling and
actionable information for enterprise IT professionals across all industries
and markets.
Related TechTarget Websites