This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
To effectively combat Web application attacks, you need a holistic approach; tackling one vulnerability will often strengthen your defenses against another. At the core of your application security strategy should be a policy that enforces secure coding practices, ensuring that vulnerability detection and assessments are performed during any application development or deployment.
Start by identifying the places where data enters or exits the application, and ensure that validation occurs for every part of the HTTP request before letting it anywhere near your scripts, data access routines and SQL queries. Next, you need to review the trust levels assigned to application entry and exit points and define the privileges that external users and processes are granted to access the system. A useful exercise is to create a data flow diagram that tracks how data flows through the application. If there is system or application failure, make sure your application doesn't return specific details about the error as this can provide useful information to an attacker.
The Web application itself needs to run under the least amount of privileges necessary for it to function correctly. Certainly, never use the default account, such as SQL Server's "sa" account. Ensure that any connection to a database or other resource is made using a least-privileged account, and you must lock down your database and Web servers. Remove non-required features such
This process should involve running a vulnerability scanner on a regular basis. Many scanners are now automated, and many can scan for XSS vulnerabilities and Google hacks. SANS has a list of tools and services that find and fix the top 20 vulnerabilities at www.sans.org/top20/ 2005/tools.pdf.
This was first published in August 2006