This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
If you use third-party packages, you should always check for known vulnerabilities with the vendor before installation, and then keep up to date on patches and advisories. Even if your Web applications are relatively secure when first deployed, changes to the system's infrastructure or configuration and new threats mean that your applications won't remain secure for long. Therefore, it is essential that your security policies are regularly reviewed for relevance and effectiveness.
You should also review the effectiveness of your firewall--packet-filtering firewalls can no longer provide the level of protection a Web application requires. Although routers and stateful packet-filtering network firewalls can be deployed to ensure that only approved transmission ports and protocols are open or allowed, attacks at the application layer require an examination of the application layer commands and data. Only at the application level is it possible to accurately determine what the real behavior will be with regard to a specific context.
It is important to develop an incident response plan; having a detailed and well-rehearsed plan will help you handle attacks in an orderly, effective manner and minimize their impact on your network.
Because so many applications and services are delivered over the Internet, application security must be built into your organization's security policy. Fortunately, the Web community is also looking at
The Web security threat classification and security statistics projects by the Web Application Security Consortium will certainly help application developers and security professionals to focus their efforts, which will, in turn, improve application development processes and speed up response times to vulnerabilities. Meanwhile, vulnerability classification will enable better automated assessments of threats posed by Web application flaws.
Until these efforts pay off, though, Web applications will likely remain a favorite target of attackers. Companies must remain alert and vigilant or risk becoming the next victim.
This was first published in August 2006