Nearly all businesses now cultivate a presence online. They do so not only to provide information, but also to...
interact with their customers via Web apps, blogs and forums. From an online retailer's interactive baby registry, to an electronic trading site's investment calculator, or a software vendor's interactive support forums, on a daily basis enterprises are spawning new Web applications that offer enhanced access to information.
This rapid rise of business-centric interactivity on the Web has, in turn, brought forth new information security threats that were not previously present in an organization’s static webpages. These threats have been targeted specifically at Web applications, including supplementary Web servers, databases and other supporting infrastructure of an organization.
In this tip, we will examine the most urgent threats to Web-facing applications today and how security teams can make them secure.
Urgent threats to Web-facing applications
There have been a number of recent reports from such vendors as Cenzic Inc., Hewlett-Packard Co.(.pdf), Imperva Inc.(.pdf), Veracode Inc. (.pdf), Whitehat Security Inc. (.pdf) and, most recently, Verizon, which assessed numerous Web application threats facing enterprises today. The two most common threats to Web applications from all of the reports were cross-site scripting (XSS) and SQL injection. Both of these threats have been around years, but Web applications remain vulnerable to them.
Given the prevalence of these incidences and the abundance of tools available for XSS and SQL attacks, organizations must significantly improve Web application security before the risk of such attacks can be reduced. New, less prevalent Web application threats have started to emerge, but most attacks still exploit these most basic weaknesses.
Making Web applications more secure
There are a couple basic ways for security teams to make Web applications more secure. This includes improving Web application development and implementing new tools to help manage new information security risks to Web applications. These methods complement each other and therefore should not be used individually without other security controls in place.
Improving Web application development to improve the security of Web applications should be part of any software or security development lifecycle. There are many resources on software development lifecycles (SDLCs), including Microsoft and general resources from DHS National Cyber Security Division on building security into enterprise software development. Most relevant to improving Web application security are the focused guides from Open Web Application Security Project (OWASP), which include the Development Guide 2010, which discusses secure Web application development. As a part of an SDLC, users may want to include checks for the most prevalent threats to Web applications and regularly update the threat list. All of these tactics can be used to train developers on secure ways to improve applications to ensure security bugs are minimized, found faster and fixed faster.
Listen to this tip as an MP3
- Listen to Web-facing applications: Mitigating likely Web application threats as an MP3 here!
Separately, the other important way to mitigate threats to Web-facing applications is by implementing new tools to help manage Web application security. These tools may not be new per se, but for many organizations, products like Web application firewalls and Web application security scanners have never been a consideration because they've either been able to avoid the compliance requirements that call for them, or because Web-based threats were never a significant concern.
Yet these and other related emerging Web defense technologies can be used to successfully block Web application-layer attacks and for scanning for Web application vulnerabilities. Web application security scanners can be included in your SDLC testing phase or as a standalone project to proactively evaluate the security of your Web applications. Web application firewalls inspect Web traffic for attacks on a Web application, often blocking the most common attacks. To that point, Web application firewalls and Web application security scanners will not block or detect all attacks or vulnerabilities, so both tools will need to be constantly updated to detect new threats.
These tools should extend on your existing controls in place, but you should understand how the urgent threats bypass many of the traditional security controls. For example, if you allow HTTP over port 80 through your firewall to a Web server, your firewall does not typically evaluate if the network traffic is legitimate HTTP traffic or if it includes potentially malicious SQL code used for a SQL injection attack. A Web application firewall can inspect the HTTP traffic and identify and many times block most SQL injection attacks. Remember, no single security tool or control can protect all of an enterprise’s Web applications, although the combination of Web application firewalls and Web security scanning provides solid protection against the most common XSS and SQL attacks.
More Web Application Security Resources
- Learn about different Web application attack types in the wild.
- How to review your Web application security assessment tools and strategy.
New Web applications that allow organizations to interact with and improve relationships with customers have brought new information security risks from old static webpages. Traditional security controls have been largely ineffective against the urgent Web application threats on their own, but extending the traditional controls to include Web application security in SDLCs and implementing new web application security tools will help reduce the risk of these threats. Those that aren't using these technologies and don't have plans to do so should carefully weigh the benefits that such applications afford with the potential dangers of expanding their Web presence online. Securing today's Web-facing systems against these new threats has become an essential priority for any enterprise information security program.
About the author:
Nick Lewis, CISSP, is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and previous at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.