Problem solve Get help with specific problems with your technologies, process and projects.

How to resolve a Web application security vulnerability

Web application security vulnerabilities can exist from browser to SSL/TLS. Expert Brad Causey explains how application security testing and Web application firewalls can address this.

As Web-based application deployments have grown exponentially during the past decade, so have security concerns...

with all points involved in the delivery of those applications. In this tip, we will discuss the roles of application security testing and Web Application Firewalls (WAFs). Find out why each is important, and how they can combine and complement each other, to mitigate a Web application security vulnerability and strengthen your overall application security posture.

From the Web browser to the SSL/TLS protocols to the Web application itself, the industry has been fighting to secure the mechanisms through which the application layer can be exploited. Enterprises won't be able to prevent every zero-day or creative exploit, nor should they try. Instead, focus should be on what can be done by application owners and developers to secure their applications from attackers and protect their users from undue risk.

Web application security testing

There are a couple of places to start, but two stand out. The first, application security testing, is certainly the most effective way to detect, fix and resolve a Web application security vulnerability.  

As part of a secure software development lifecycle (SDLC), Web application testing can detect security issues early in the cycle or later in acceptance testing, depending on the method used. Static code analysis produces a lot of false positives, but provides the most comprehensive view -- earlier than other types of testing. Dynamic testing results in more concrete findings, but can be time consuming, and its findings are not always comprehensive. Ideally, a combination of both static code analysis and dynamic testing, discussed further below, balance their advantages and will significantly augment the security posture of your applications.

The trouble, though, is that in-depth application testing isn't always possible, due to time constraints, license agreements or code availability, among various other reasons. Because of this, WAFs offer another viable option for preventing Web application security vulnerabilities.

Web app firewalls

WAFs can be integrated or stood up in front of your application to quickly reduce your application's exposure to attack, although this option isn't without compromise.

WAFs work by standing between the user and the application, and that will cause performance issues and also require time and expertise to deploy. Bear in mind that a WAF is also not a silver bullet. Most WAFs will do a stellar job in catching obvious attacks, such as SQL injection or cross-site scripting. Issues such as business-logic bypasses or functional issues will have to be addressed through code or custom rules in your WAF -- don't forget this important step, as these issues can be just as harmful to application security as a traditional security "bug" may be.

The great thing, though, about WAFs is that they are relatively quick to install and can work to shore up your application's security, even if you don't have the ability, time or permission to perform static or dynamic analysis.

The security one-two punch

A third, even better, option is a combination of software security best practices during the design and development of the applications, as well as application security controls after the Web app is implemented. Why not have both?

Integrate security into application design, coding and testing phases; many organizations have created blueprints for establishing a comprehensive, effective SDLC. Inevitably, a Web application security vulnerability will be discovered after they are in production environments, some of which will be easier to patch than others. That's where the WAF comes into play, buying your organization some time to sort out any security issues that are discovered after the development phase by preventing exploitation until they can be permanently resolved.

These two methods of minimizing application risk actually go quite well together. In many cases, companies will roll out the security patch or fix in the next release, while defining specific rules within the WAF to address those issues. This is especially useful for security issues that require major effort to resolve.

Next Steps

Read about the state of Web application security

Learn how to carry out effective penetration testing for Web application security

What application security tools did our readers pick as the best?

This was last published in May 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

How to craft an application security strategy that's airtight

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization detect and resolve web application security vulnerabilities?
Cancel
I like the overview given in the article. Would expect examples of tools for each type of security testing (i.e. what's for static code scan, for dynamic, for front-end security testing?).
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close