7 Myths about protecting Web applications.Today Web Applications are delivering critical information to a growing number of employees and partners. Most organizations have already invested heavily in Network Security Devices, thus they often believe they are also protected at the application layer; in fact they are NOT. Myth 1: IPS (1) (Inches Per Second) The measurement of the speed of tape passing by a read/write head or paper passing through a pen plotter. (2) (IPS) (Intrusion Prevention S defeat Application Attacks Intrusion Prevention See IPS and IDS. Systems, initially developed to monitor and alert on suspicious activity and system behavior, are becoming widely deployed. IPS's are useful to detect known attacks, but are inadequate to protect against new types of attack targeting the web applications and are often blind for traffic secured by SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. technology. Myth 2: Firewalls protect the Application Layer Most companies have deployed firewall technology to protect and control traffic in and out of the network. Firewalls are designed to control access by allowing or blocking IP addresses and port numbers. As well as firewalls are still failing to protect against worms and viruses, they are not suited to protect web applications against application attacks neither. Network firewalls only protect or 'validate' the HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. protocol and do not secure the most critical part: the application. Myth 3: Application vulnerabilities are similar to Network and System vulnerabilities A common problem in web applications is the lack of input validation in web forms. For example, a web form field requesting an email address See Internet address. should only accept characters that are allowed to appear in email addresses, and should carefully reject all other characters! An attacker might potentially delete or modify a database 'safely' hidden behind state of the art-Network Firewalls, IPS and web servers by filling in SQL SQL in full Structured Query Language. Computer programming language used for retrieving records or parts of records in databases and performing various calculations before displaying the results. query syntax in the unsecured email field and exploit a SQL Injection SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not vulnerability! Web application attacks are not targeting protocols, but target badly written applications using HTTP(s). Myth 4: Network devices can understand the application context To correctly protect web applications and web services (1) Loosely, any online service delivered over the Web. Such usage appears in articles from non-technical sources, but not in IT-oriented publications, because definition #2 below describes the correct use of the term. , a full understanding of the application structure and logic must be acquired. Track must be kept of the application state and associated sessions. Different technologies, such as cookie insertion, automated process detection, application profiling and web single sign on technology are required to obtain adequate application protection. Myth 5: SSL secures the application. SSL technology is initially developed to secure and to authenticate traffic in transit. SSL technology protects against man-in-the-middle attacks (eaves dropping) or data alteration attacks (modifying data in transit), but do not secure the application logic. Most vulnerabilities found in today's web servers are exploitable via unsecured HTTP connections as well as via 'secured 1 HTTPS (1) (HyperText Transport Protocol Secure) The protocol for accessing a secure Web server. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. connections. Myth 6 : Vulnerability scanners protect the web environment Vulnerability scanners look for weaknesses based on signature matching. When a match is found a security issue is reported. Vulnerability scanners work almost perfect for all popular systems and widely deployed applications, but prove to be unable at the web application layer because companies do not use the same web environment software, most of them even opt for creating their own web application. Myth 7 : Vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. and Patch Management The installation of patches from a software vendor onto an organization's computers. Patching thousands of PCs and servers is a major issue. A patch should be applied to test machines first before deployment, and the testing environments must represent all the users' PCs with their unique will do the job While it is often required to have yearly security assessments performed on a web site, the common web application life cycle requires more frequent security reviews. As each new revision of a web application is developed and pushed, the potential for new security issues increases. Pen Test or Vulnerability assessments will ever be out of date. Furthermore, it is illusive il·lu·sive adj. Illusory. il·lu  sive·ly adv.il·lu to imagine that Patch Management will assist to rapidly respond to the identified vulnerabilities. The real Life Web applications are currently proving to be one of the most powerful communication and business tool. But they also come with weakness and potential risk that network security devices are simply not designed to protect. Key security concepts such as Security Monitoring, Attack Prevention, User Access control and Application Hardening, remain true. But, because web application domain is so wide and different, these concepts need to be implemented with new "application oriented" technologies. Eric Battistoni, Bee-ware |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion