Why Web Application Security Securing a company's web applications is today's most overlooked part of securing the enterprise. Hacking is on the rise with as much as 75% of cyber attacks done through the internet and via web applications.

Most corporations have secured their data at the network level, but have overlooked the crucial step of checking whether their web applications are susceptible to kayran.


Web applications raise certain security concerns. 1. To provide the service (intended by design) to customers, web applications must certanly be online and available 24x7x365 2. This means that they're always publicly available and cannot discriminate between legitimate users and hackers 3. To function properly web applications should have direct access to backend databases which contain sensitive information. 4. Most web applications are custom-made and rarely pass through the rigorous quality assurance checks of off-the-shelf applications 5. Through deficiencies in awareness of the type of hack attacks, organisations view the internet application layer included in the network layer as it pertains to security issues.

The Jeffrey Rubin Story In a 2005 review published by Information Week, a prominent security expert called Jeffrey Rubin, narrates his experience with a fruitful hack attack. These is a citation from his article (the full reference is given by the end with this article):

"We're like most Web developers who utilize the Microsoft platform ... Although we try to remain current with patches and service packs, we realize attackers often go after application, rather than network, vulnerabilities. A colleague suggested we install a hardware firewall to stop future attacks. Not just a bad suggestion, but hardly a cure-all given that people have Ports 21, 80 and 443 and our SQL server (on a nonstandard port) wide open for development purposes. All things considered, we're in the commercial of developing dynamic Website pages, and our clients are all over the country" ;.

Jeff's story is striking mainly because (a) developers, like all, will also be vulnerable to error despite all the precautions they take to sanitize their developed applications and (b) being an expert he was still lulled into a false sense of security by applying the newest patches and service packs. Jeff's story, sadly, is not unique and arises from misconceiving the security infrastructure of an organization and the solutions available to help people inside their fight to protect their data.

Since many organizations don't monitor online activity at the internet application level, hackers have free reign and even with the tiniest of loop holes in a company's web application code, any experienced hacker can break in using only a browser and an amount of creativity and determination. The slack security entails that attempted attacks should go unnoticed as companies react only to successful hacks. Which means companies will fix the situation AFTER the damage is done. Finally, most hack attacks are discovered months after the first breach mainly because attackers do not need and won't leave an audit trial.

Systems administrators, CTOs and business people alike conceive cyber intrusion as standard physical intrusion: a thief within your house leaves markers, e.g., a damaged window or a required lock. In web application attacks this physical evidence is inexistent.

The Security Infrastructure of an Organization It is convenient to think of the infrastructure of an organization together with various layers. In exactly the same way you would protect against rust by applying a number of paints, chemicals and anti-oxidants in layers, a systems administrator puts set up several specialized security solutions each addressing specific problem areas.

These security layers represent a holistic outlook that looks at security as hardened measures taken up to minimize intrusion risks and maximize the protection around the main element asset of any organization, its data.

Standard security layers include:

  • The User layer containing software including personal firewalls, anti-root kits, registry cleaners, backup, anti-virus, anti-phishing and anti-spy/adware
  • The Transport layer including SSL encryption, HTTPS and similar protocols
  • The Access layer with access control, authentication, crypography, firewalls, VPNs, Web Application Firewalls
  • The Network layer with firewalls, network scanners, VPNs, and intrusion detection.

The Fifth layer may be the Application layer and must include web siote and web vulnerability scanning. Source code analysis gels here Web Vulnerability Scanners aren't Network Scanners Web vulnerability scanners (e.g., Acunetix WVS, Spi Dynamics WebInspect) aren't network scanners (e.g., Qualys, Nessus).

Whereas network security scanners analyze the security of assets on the network for possible vulnerabilities, Web Vulnerability Scanners (WVS) scan and analyse web applications (e.g., shopping carts, forms, login pages, dynamic content) for almost any gaps resulting from improper coding that may be manipulated by hackers.

As an example, it may be possible to trick a login form to believe that you have administration rights by injecting specifically-crafted SQL (the language understood by databases) commands. This really is only possible if the inputs (i.e., username and/or password fields) aren't properly sanitized (i.e., made invulnerable) and sent directly with the SQL query to the database. This really is SQL Injection!

Network security defense provides no protection against such web application attacks because these attacks are launched on port 80 (default for websites) which has to stay open to permit regular operation of the business.

What is needed is a web application scanner / web vulnerability scanner or a black-box testing tool.

Black box Testing Black box testing is just an examination design methodology.. In web application black box testing, the internet application itself is treated all together without analyzing the interior logic and structure. Typically, web application scanners would see whether the internet application all together could possibly be manipulated to obtain access to the database. Modern tools enables a great amount of automation, in effect, reducing the manual input required in testing web applications.

It is essential to state reducing and not minimizing or doing away with. As any security consultant will tell you, automation will never replace the intelligence and creativity of human intervention.

In general, automated scanners first crawl a whole website, analyzing in-depth each file they'd find and displaying the whole website structure. After this discovery stage, the scanner performs an automatic audit for vulnerabilities by launching some hacking attacks, in effect emulating a hacker. Scanners would analyze each page for places where data could possibly be input and will subsequently attempt all different input combinations. The scanners would check for vulnerabilities on web servers (on open ports), all web applications and in website content itself. The more robust products launch such attacks intelligently using varying examples of heuristics.

Heuristic Web Scanning It is essential to realize that web vulnerability scanning should not be limited to scanning known applications (e.g. off-the-shelf shopping carts) and/or module vulnerabilities (e.g. SQL injection in phpBB Login Form) against a pre-determined library of known issues. When it were to do this, custom applications would remain untested due to their vulnerabilities. This is the main weakness of products that are based on matching vulnerability signatures.

Consider anti-virus software being an example. Standard antivirus products scan for thousands of known viruses including old and known viruses (even ones which were created for old Windows 95 systems). In this day and age you would rarely encounter this OS however in the minds of consumers what's most important is "just how many viruses does this software detect?" ;.In fact, having the newest AV will provide you with protection for all but the viruses running in the wild. And it is these viruses that induce the greatest damage. Standard AV products without the best technologies won't detect a disease in the wild if these could only match for "known" viruses. Good antivirus technology will allow heuristic file checking or intelligent methods for attempting to identify patterns of application behavior which may result in a virus.

Web vulnerability scanning works in a very similar way. It could be useless to detect the known vulnerabilities of known applications alone. A significant amount of heuristics is involved in detecting vulnerabilities since hackers are really creative and launch their attacks against bespoke web applications to generate maximum kayran.

Weergaven: 7

Opmerking

Je moet lid zijn van Beter HBO om reacties te kunnen toevoegen!

Wordt lid van Beter HBO

© 2024   Gemaakt door Beter HBO.   Verzorgd door

Banners  |  Een probleem rapporteren?  |  Algemene voorwaarden