| Why Web Application Security Securing a company's | | | | manipulated by hackers. |
| web applications is today's most overlooked aspect of | | | | For example, it may be possible to trick a login form to |
| securing the enterprise. Hacking is on the rise with as | | | | believe that you have administration rights by injecting |
| many as 75% of cyber attacks done through the web | | | | specifically-crafted SQL (the language understood by |
| and via web applications. | | | | databases) commands. This is only possible if the |
| Most corporations have secured their data at the | | | | inputs (i.e., username and/or password fields) are not |
| network level, but have overlooked the crucial step of | | | | properly sanitized (i.e., made invulnerable) and sent |
| checking whether their web applications are vulnerable | | | | directly with the SQL query to the database. This is |
| to attack. | | | | SQL Injection! |
| Web applications raise certain security concerns. 1. To | | | | Network security defense provides no protection |
| deliver the service (intended by design) to customers, | | | | against such web application attacks since these |
| web applications must be online and available | | | | attacks are launched on port 80 (default for websites) |
| 24x7x365 2. This means that they are always publicly | | | | which has to remain open to allow regular operation of |
| available and cannot discriminate between legitimate | | | | the business. |
| users and hackers 3. To function properly web | | | | What is needed is a web application scanner / web |
| applications must have direct access to backend | | | | vulnerability scanner or a black-box testing tool. |
| databases that contain sensitive information. 4. Most | | | | Black box Testing Black box testing is simply a test |
| web applications are custom-made and rarely pass | | | | design methodology.. In web application black box |
| through the rigorous quality assurance checks of | | | | testing, the web application itself is treated as a whole |
| off-the-shelf applications 5. Through a lack of | | | | without analyzing the internal logic and structure. |
| awareness of the nature of hack attacks, | | | | Typically, web application scanners would see whether |
| organisations view the web application layer as part of | | | | the web application as a whole could be manipulated |
| the network layer when it comes to security issues. | | | | to get access to the database. Modern technology |
| The Jeffrey Rubin Story In a 2005 review published by | | | | allows for a great degree of automation, in effect, |
| Information Week, a prominent security expert called | | | | reducing the manual input required in testing web |
| Jeffrey Rubin, narrates his experience with a | | | | applications. |
| successful hack attack. The following is a citation from | | | | It is important to say reducing and not minimizing or |
| his article (the full reference is given at the end of this | | | | doing away with. As any security consultant will tell |
| article): | | | | you, automation will never replace the intelligence and |
| "We're like most Web developers who use the | | | | creativity of human intervention. |
| Microsoft platform ... Although we try to stay up to | | | | In general, automated scanners first crawl an entire |
| date with patches and service packs, we realize | | | | website, analyzing in-depth each file they would find |
| attackers often go after application, rather than | | | | and displaying the entire website structure. After this |
| network, vulnerabilities. A colleague suggested we | | | | discovery stage, the scanner performs an automatic |
| install a hardware firewall to prevent future attacks. | | | | audit for vulnerabilities by launching a series of hacking |
| Not a bad suggestion, but hardly a cure-all given that | | | | attacks, in effect emulating a hacker. Scanners would |
| we have Ports 21, 80 and 443 and our SQL server | | | | analyze each page for places where data could be |
| (on a nonstandard port) wide open for development | | | | input and will subsequently attempt all the different input |
| purposes. After all, we're in the business of developing | | | | combinations. The scanners would check for |
| dynamic Web pages, and our clients are all over the | | | | vulnerabilities on web servers (on open ports), all web |
| country". | | | | applications and in website content itself. The more |
| Jeff's story is striking simply because (a) developers, | | | | robust products launch such attacks intelligently using |
| like all, are also prone to error despite all the | | | | varying degrees of heuristics. |
| precautions they take to sanitize their developed | | | | Heuristic Web Scanning It is important to understand |
| applications and (b) as an expert he was still lulled into | | | | that web vulnerability scanning should not be limited to |
| a false sense of security by applying the latest | | | | scanning known applications (e.g. off-the-shelf shopping |
| patches and service packs. Jeff's story, sadly, is not | | | | carts) and/or module vulnerabilities (e.g. SQL injection in |
| unique and arises from misconceiving the security | | | | phpBB Login Form) against a pre-determined library of |
| infrastructure of an organization and the solutions | | | | known issues. If it were to do so, custom applications |
| available to assist people in their fight to protect their | | | | would remain untested for their vulnerabilities. This is |
| data. | | | | the main weakness of products that are based on |
| Since many organizations do not monitor online activity | | | | matching vulnerability signatures. |
| at the web application level, hackers have free reign | | | | Consider anti-virus software as an example. Standard |
| and even with the tiniest of loop holes in a company's | | | | antivirus products scan for thousands of known |
| web application code, any experienced hacker can | | | | viruses including old and known viruses (even ones |
| break in using only a web browser and a dose of | | | | that were created for old Windows 95 systems). In |
| creativity and determination. The slack security also | | | | this day and age you would rarely encounter this OS |
| means that attempted attacks will go unnoticed as | | | | but in the minds of consumers what is most important |
| companies react only to successful hacks. This means | | | | is "how many viruses does this software detect?". In |
| that companies will fix the situation AFTER the | | | | reality, having the latest AV will give you protection for |
| damage is done. Finally, most hack attacks are | | | | all but the viruses running in the wild. And it is these |
| discovered months after the initial breach simply | | | | viruses that create the greatest damage. Standard |
| because attackers do not want and will not leave an | | | | AV products without the right technologies will not |
| audit trial. | | | | detect a virus in the wild if these could only match for |
| Systems administrators, CTOs and business people | | | | "known" viruses. Good antivirus technology will allow |
| alike conceive cyber intrusion as standard physical | | | | heuristic file checking or intelligent ways of trying to |
| intrusion: a thief in your house leaves markers, e.g., a | | | | identify patterns of application behavior which can |
| broken window or a forced lock. In web application | | | | result in a virus. |
| attacks this physical evidence is inexistent. | | | | Web vulnerability scanning works in a very similar way. |
| The Security Infrastructure of an Organization It is | | | | It would be useless to detect the known vulnerabilities |
| convenient to think of the infrastructure of an | | | | of known applications alone. A significant degree of |
| organization as one with various layers. In the same | | | | heuristics is involved in detecting vulnerabilities since |
| way you would protect against rust by applying a | | | | hackers are extremely creative and launch their |
| variety of paints, chemicals and anti-oxidants in layers, | | | | attacks against bespoke web applications to create |
| a systems administrator puts in place several | | | | maximum impact. |
| specialized security solutions each addressing specific | | | | Of course, such an approach does give out false |
| problem areas. | | | | positives but even here there lies misconception and |
| These security layers represent a holistic outlook that | | | | confusion. False positives are caused because an |
| looks at security as hardened measures taken to | | | | automated scan will flag issues that may seem to be |
| minimize intrusion risks and maximize the protection | | | | a vulnerability. Automation is an invaluable aid and the |
| around the key asset of any organization, its data. | | | | accuracy of a scan depends on (a) how well your site |
| Standard security layers include: | | | | is crawled to establish its structure and various |
| - The User layer containing software including personal | | | | components and links, and (b) on the ability of the |
| firewalls, anti-root kits, registry cleaners, backup, | | | | scanner to leverage intelligently the various hacking |
| anti-virus, anti-phishing and anti-spy/adware | | | | methods and techniques against web applications. |
| - The Transport layer including SSL encryption, HTTPS | | | | Automated scanning will lead to false positives. Of |
| and similar protocols | | | | course, this level of technological complexity does not |
| - The Access layer with access control, authentication, | | | | lead to zero false positives. That is impossible. An |
| crypography, firewalls, VPNs, Web Application | | | | automated scan will always generate false positives |
| Firewalls | | | | whichever product you use. |
| - The Network layer with firewalls, network scanners, | | | | We always recommend automated scans to be |
| VPNs, and intrusion detection. The Fifth layer is the | | | | supplemented with manual scans - this is probably one |
| Application layer and must include web siote and web | | | | of the points that all security experts emphasize. Sadly, |
| vulnerability scanning. Source code analysis fits in here | | | | companies do not recognize the importance of the |
| Web Vulnerability Scanners are not Network | | | | manual input. If you want your web applications to be |
| Scanners Web vulnerability scanners (e.g., Acunetix | | | | secure you must spend a considerable amount of time |
| WVS, Spi Dynamics WebInspect) are not network | | | | checking the automated side of things. This is not to |
| scanners (e.g., Qualys, Nessus). | | | | say that automation is inaccurate - on the contrary, it is |
| Whereas network security scanners analyze the | | | | very accurate and has cut down on much of the |
| security of assets on the network for possible | | | | work. The automated scan will help you flag the |
| vulnerabilities, Web Vulnerability Scanners (WVS) scan | | | | possible problems including the false positives and |
| and analyse web applications (e.g., shopping carts, | | | | prompt further manual investigation. |
| forms, login pages, dynamic content) for any gaps | | | | In web application security, it is better to have false |
| resulting from improper coding that may be | | | | positives than nothing at all. |