Manage Learn to apply best practices and optimize your operations.

How to prevent application attacks and reduce network vulnerabilities

In this Ask the Expert Q&A, our application security guru discusses how hackers exploit network vulnerabilities to attack your applications and what you can do to mitigate this risk.

What Internet vulnerabilities do we face in an environment where there are applications on our Intranet (behind a firewall and IPS)? Most of these applications use Oracle database on the back end.

Before I answer this question, I should clarify a few IT security terms. In IT security, a vulnerability is, according to the National Institute of Standards and Technology (NIST), "a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy." What your Intranet applications face are threats -- unwanted, deliberate or accidental, events that may result in damage -- often caused by exploiting one or more vulnerabilities. That said, if your Intranet is connected to the Internet, you have a right to be concerned about the risks involved with the combination of a threat exploiting a vulnerability to attack your applications.

Unless your network security can maintain confidentiality, integrity and availability, if you have applications that are Internet accessible, your databases are at high risk. Hackers are using application-layer attacks to gain access to networks and databases, often with a privileged system-level account. To mitigate this risk, protect your databases by layering your defenses and use firewalls and routers to segment resources with different security requirements. It is also important to install any security patches or updates that have been released by your application vendors. For example, the Critical Patch Update released by Oracle in January 2005, addressed 23 vulnerabilities ranging from SQL injection to denial-of-service issues.

On the other hand, if your Intranet-based applications are not Internet-accessible, as long as your firewall is configured to prevent Internet access to your Intranet, your risk of attack is greatly reduced. However, don't overlook the fact that people working within your organization have extra knowledge about the databases' structures and your security policy. Their knowledge makes databases and other applications susceptible to an insider attack. For this reason, I recommend reviewing your database security policies. For example, ask yourself the following: "Do I properly enforce segregation of staff duties?" "Do I grant users the lowest level of permissions required to complete their tasks (the least privilege principle)?" If the database contains sensitive information, I would consider encrypting stored data. It adds an important layer of protection -- any user that tries to access the data not only needs the right password, but the encryption key as well. Another advantage of encryption is people who do not have database privileges cannot read your sensitive information. On a final note, I would ensure that you have an auditing strategy to highlight security issues.

More on this topic

  • Visit our resource center for news, tips and expert advice on ways to reduce risks posed by application attacks such as cross-site scripting, buffer overflows, botnets and more.
  • Attend Web Security School and learn how to harden a Web server and apply countermeasures to prevent hackers from breaking into a network.
This was last published in December 2005

Dig Deeper on Web application and API security best practices