Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Web Application Security Lockdown

    By
    Timothy Dyck
    -
    May 26, 2003
    Share
    Facebook
    Twitter
    Linkedin

      IT managers often find themselves in the position of the boy who stuck his finger in the dike—but theyre plugging system holes to prevent security floods. These holes will only increase in number as Web applications and Web services proliferate, but IT managers can provide more than stopgap security with a number of new tools and some best-practice measures.

      Web applications—either internally developed or packaged—are often the weak link that crackers exploit to break into a site. Web-based vulnerabilities were exploited by both Nimda and Code Red, and Web application vulnerabilities were the downfall of eWEEK Labs first, second and fourth OpenHack security tests.

      Although firewalls do a good job of protecting internal network resources from hostile network traffic in general, applications exposed over HTTP are wide open to all kinds of hostile attacks.

      Complex, custom applications such as customer self-service sites are particularly in need of protection because they often create the dangerous combination of public accessibility and potential access to protected customer information.

      The problem will grow in scope with the exposure of business logic (and related connected database resources) through Web service deployments because Web services are most often published using HTTP as a transport protocol. Web services also bypass existing front-end Web application input parameter checking, making it vital that input validation code be duplicated in the Web service itself.

      With the wide variety and large number of externally facing Web applications deployed in the enterprise, its almost impossible to bulletproof every application and Web server.

      Patching known problems is a must, of course, but doing so in a server farm environment takes time and testing. Finding security bugs in custom-developed Web application code is a painstaking and all-too-error-prone process, given HTTPs complete lack of input validation checking.

      Public Web App Protection Checklist

      • Hardenpublicly reachable Web server systems by stripping unnecessary software and user accounts and by tightening security settings.
      • IsolateWeb servers in a DMZ enclosure using firewalls to protect internal systems should a break-in occur.
      • DeployWeb application firewalls for low-level filtering of HTTP traffic on Port 80 and Port 443; this will help block application-specific attacks.
      • Use defensive programming techniques, penetration tests and source code audits to eliminate as many application bugs as possible.
      • Use a separate, back-channel communications link to do remote administration, instead of coming in from the public side.

      Security audits, authorized penetration testing, and the use of structured application testing tools and higher-level development frameworks all make a difference.

      As we saw in last Octobers OpenHack test, however, even stringently audited Web application code can contain bugs. In that test, two cross-site scripting attacks succeeded because, out of the hundreds of parameters that were filtered for illegal input in our test Web application, two were not. An intrepid cracker found the untested parameters and exploited them.

      A central pillar of strong security is an acknowledgment that packaged applications and custom code will contain security vulnerabilities, no matter how valiant the efforts to eliminate them. Thus, additional layers of protection must be deployed.

      To this end, a new set of HTTP-specific firewalls is emerging to address the security mismatch between traditional port-level firewalls and the security demands of Web applications and Web services.

      This is still an immature market overall. eWEEK Labs tests of the leading products in this category show that no one product does it all (see reviews). Weve seen considerable advancement in the state of the art just during the past six months, however, and we expect to see more of the same through the rest of this year.

      As a group, these products white-list-defense philosophy and real-time HTTP request and parameter filtering make them extremely powerful tools for securing Web applications. We recommend their use for security-sensitive Web applications.

      Its important to keep in mind, however, that while new classes of tools, such as Web application firewalls and trusted operating system add-ons, are emerging as important new defensive techniques, they only mitigate—and dont remove—the need for secure programming practices and server hardening. But with additional protection in place, attackers will have a significant new barrier to get around, and administrators will gain a potent tool for monitoring and protecting valuable data.

      Timothy Dyck
      Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×