Web application or site security need, resolution plans

Web application vulnerabilities are now the most prevalent at more than 55 per cent of all server vulnerability disclosures. This figure doesn’t include vulnerabilities in small scale custom-developed web applications, so it may be just the tip of the iceberg. This write up is all about understanding how to quickly find and fix vulnerabilities in web applications. The goal is to prevent attackers from gaining control over the application and obtaining easy access to the server, database, and other back-end IT resources.

Let's start with what actually matters in Web Security, as the world embraces cloud computing, more and more people are transacting business, conducting research, storing information, collaborating with co-workers, publishing personal thoughts, and fostering relationships via web applications.

These web applications use a simple architecture:

• Internet or an intranet for connectivity between user and application
• Creation of the application with a browser-rendered markup language such as hypertext markup language (HTML)
• Hosting of the application in a browser-controlled environment
• A browser for user execution of the application on an endpoint device

Each time you launch a browser and connect to a website, you’re using one or more web applications. These enable thin client computing, which dramatically reduces resource requirements for the endpoint device. With web applications, the bulk of processing occurs on servers located at remote websites. As a result, users can run sophisticated web applications from virtually any PC, a low-powered netbook, a tablet computing device, or smart-phone. Web applications are generally easy to use, cost little or nothing for the user to operate, are efficient, and pervasive. As you’ll see, web applications hold the same attraction to modern cyber criminals because web application vulnerabilities are now the most prevalent of all server vulnerability disclosures. Network security professionals are already familiar with many other types of IT vulnerabilities. The process of finding and fixing these is called ‘vulnerability management’. Let's quickly discuss the understanding how to quickly find vulnerabilities in organization’s web applications and fix them so as to prevent attackers from gaining control over the application and other IT resources.

Gaps or Entry Points for criminals: Vulnerabilities in web applications may take dozens of forms. Many attacks use fault injection, which exploits vulnerabilities in a web application’s syntax and semantics. In simple terms, an attacker manipulates data in a web page Uniform Resource

Indicator (URL) link to force an exploitable malfunction in the application. The two most common varieties are query / SQL injection and cross-site scripting. Later we’ll dive into details of how these and other vulnerabilities work (and how to get rid of them!). For now, here’s the basic idea. Consider a typical URL:

http://My_example/Zxx.cgi?a=1

Executing a SQL injection exploit simply requires modifying the URL. All that’s needed might be one odd character to trigger a successful exploit, such as adding an apostrophe to the end of the URL:

http://My_example/Zxx.cgi?a=1'

The ‘successful’ outcome can give an attacker control over the application and easy access to the server, database, and other back-end IT resources. Needless to say, this access can trigger disastrous results.

Data is the object of desire for attackers – particularly data that converts their efforts into cash. The most lucrative source of this data is a business database containing information that can be sold or used directly by an attacker for profit. Business databases are like pots of gold brimming

with bankable opportunities – all in one location.

Confidential customer data may be the highest value data because it’s easy to sell and leverage. It includes personally identifiable data such as names, addresses, birth dates, payment card Primary Account Numbers, email addresses, and so on. Some of the worst data breaches have included the theft of millions of records containing this information. The massive scale of instant damage is unprecedented.

Web application attacks may also target individuals, one by one. Some attacks are executed by infiltrating a trusted website, which then injects malware into computers used by unsuspecting visitors. The malware might redirect links to rogue sites that steal personal information directly from the user’s PC. It could trick users into revealing confidential passwords or payment card data. It may even hijack the user’s PC and transform it into a spam server or other nefarious mechanism aimed to further the attacker’s goals. Either way, successful attacks on web applications can result in highly negative fallout. The rest of all related losses are paid by the payment card companies. If the data allows a criminal to access other accounts or steal a consumer’s identity however, financial fallout could be severe for that individual. Resolving just one incident of a stolen identity may take years of effort. Personal fallout would be catastrophic if multiple breaches at different merchants occurred during a short period of time.

Way of improvements: Web application vulnerabilities are often outside the traditional expertise of network managers, even if their main job is network security. The built-in obscurity of web application vulnerabilities helps them evade traditional network defenses unless an organization takes deliberate countermeasures. Unfortunately, there’s no silver bullet for detection! As with network security, the best strategy is a multi-layer approach.

Detection and remediation may require source code analysis. Detecting some web application vulnerabilities may require on-site penetration testing.

The good news is that most prevalent web application vulnerabilities can be easily detected with an automated scanner. As you’ll see later in this book, scanning web applications acts to supplement and compliment manual testing by performing likely attacks on target applications.

Scanning web applications has even become a strategic requirement in some regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) version 2.0 now requires all merchants accepting payment cards to pass quarterly scans for vulnerabilities in web applications.

• Automated scanning can provide many benefits, including:
• Discovering and cataloging all web applications in your enterprise.
• Lowering the total cost of operations by automating repeatable testing processes.
• Identifying vulnerabilities of syntax and semantics in custom web applications.
• Performing authenticated scanning.
• Profiling the target application.
• Ensuring accuracy by effectively reducing false positives and false negatives.

We need to understand how scanning and other tasks fit into a vulnerability prevention program (we call it VPP in our organization) which addresses everything it takes to develop, deploy, and maintain secure web applications, and that’s exactly what we discuss.

Cross-discipline cooperation is mandatory for web application security. It’s vital when time is of the essence for urgent vulnerability remediation. So decide now who’ll take the lead as doing so will help to smooth out operational issues later. I normally suggest that overall responsibility for web application security should rest with the security team (a nominated approach not a designer / architect team). He / she / these people are responsible for vulnerability management in networks and systems. Adding application security to their watch makes sense because this team already has ‘find and fix the vulnerabilities in its DNA and workflow. Integrating the use of automated scanning tools for web applications augments the technical skills of security staffers doing vulnerability management. There are various tools which can guide the security team as it guide the development teams. Remediation details can remain the domain of web application programmers.

An organization that relies upon custom web applications to implement business processes can have up to thousands of web applications. These may include full-blown applications, or consist of modules from login pages, forms, card payment / transactional scripts, shopping carts, and other forms of dynamic content. Those that appear in your network could be developed in house, although some may be legacy sites with no designated ownership or support.

Analyzing all of these for vulnerabilities and prioritizing their importance for remediation can be a huge task without organizing efforts and using automation to improve efficiency and accuracy.

The software development lifecycle (SDLC) aims to do this analysis and prioritization. SDLC is rooted in the mature discipline of Software Assurance, which the industry defines as follows: ‘Confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.’ (Source: Software Assurance Forum for Excellence in Code.)

The Secure Development phase is all about building security into web applications right from their inception. This is what commercial software companies do because customers expect what they license to be secure. This isn’t an automatic process, however, so as your organization strives to be smart with its efforts to secure applications on its websites, it needs to provision for several elements. Like Secure development , web applications are deployed when deemed functional within specifications, and when they’re secure. Upon deployment, ensuring their security requires two new elements: Vulnerability Scanning & Penetration Testing. The comes to securing all transactional details like Secure operations for this we need to incorporate tools like Web Application Firewall & Activity Monitoring. For the topic of vulnerability management, there’s no lower or higher rating of importance ascribed to web application scanning versus other kinds of scanning such as for network or system vulnerabilities.

Creating web application security requires your organization to scan for all these types of vulnerabilities because they’re interrelated. Security in each category can suffer from weaknesses in other categories. This is why comprehensive vulnerability management is essential.

I will stop here now I have realized that there are much more to be discussed / written on this topic this is just a start. I will try to me proactive in writing next chapter on this. I will love to listen to you on your take / any suggestions for me please shoot them at ravindrapande@gmail.com.