Industry News   In Practice   The Bigger Picture   Digital Marketing   Your Business  

Latest Articles

The Community Glue

Penny Power, Founder of Ecademy, looks at Community Managers and what they can do to help their Social network survive.

more

More Everything - The Ofcom 2008 Report

UK consumers are spending more time on communications than ever before but paying less for the privilege, according to UK telecoms watchdog, Ofcom.

more

Parents Fear For Networked Kids

Internet experts have called on social network sites to do more to protect children as a survey reveals that three-quarters (72 per cent) of parents spy on their children.

more

Related Articles

Related Events

Web Applications: An Attractive Target

Filed under: all articles
Tags:
By: NMK Created on: February 27th, 2007
Bookmark this article with: Delicious Digg StumbleUpon

With modernisation and change comes the need to re-assess the safety of your business assets. Blake Sutherland describes the risks attached to a move towards online applications.

With modernisation and change comes the need to re-assess the safety of your business assets. Blake Sutherland describes the risks attached to a move towards online applications.

How do you cost-effectively defend web applications from attack? Your organization relies on mission-critical business applications that contain sensitive information about customers, business processes and corporate data. Moving away from proprietary client/server applications to web applications gives you a simple, inexpensive, extensible delivery platform. But these applications are more than a valuable tool to power your business operations; they are also a valuable and vulnerable target for attackers.

Web applications are increasingly the preferred targets of cyber-criminals looking to profit from identity theft, fraud, corporate espionage, and other illegal activities. The impact of an attack can be significant, and include costly and embarrassing service disruptions, down-time, lost productivity, stolen data, regulatory fines, angry users and irate customers. Beyond preserving the corporate brand, federal and state legislation and industry regulations are now requiring web applications to be better protected.

As you take action to protect web applications in a timely and effective manner, you must balance the need for security with availability, performance and cost-effectiveness. Protecting web applications requires both zero-day protection and rapid response with minimal impact to operations, and must be part of a defense-in-depth plan.

Web applications are increasingly vulnerable

The number of corporate web applications has grown exponentially and most organizations are continuing to add new applications to their operations. With this rapid growth come common security challenges driven by complexity and inconsistency. New awareness into web application vulnerabilities, thanks to organizations such as the Open Web Application Security Project (OWASP), has helped organizations identify application security as a priority. But according to a June, 2006 survey , while 70 percent of software developers indicated that their employers emphasize the importance of application security, only 29 percent stated that security was always part of the development process.

The overlooked vulnerabilities

Unfortunately, it is not just application flaws that are leaving systems vulnerable. In addition to application issues, every web application relies on a large stack of commercial and custom software components. The operating system, web server, database and all the other critical components of this application stack, have vulnerabilities that are regularly being discovered and communicated to friend and foe alike. It is these vulnerabilities that most organizations overlook when they're considering web application security.

The challenge this poses for IT Administrators and security professionals is that regardless of the source of the leak, application code or underlying software, they need to their keep mission critical applications secure.

Figure 1: Typical vulnerability targets in web applications

web app security

As noted in Figure 1, threats against applications can come from a variety of sources:

As new vulnerabilities are found, patches become a critical part of managing application security. The process of patch management is complex and difficult to do successfully. Even the most proactive IT team must often reassign critical resources to deploy urgent patches, disrupting normal operations. The time required to patch responsibly lengthens the window of time an attacker has to exploit a specific vulnerability. With thousands of vulnerabilities and patches being announced each year the problem continues to grow. Even organizations with the most efficient patching processes in place can't rely on this alone to protect them from attacks targeting web application vulnerabilities.

Attackers look for the path of least resistance

Today's sophisticated attackers target corporate data for financial and political gain. They know they can more easily exploit vulnerabilities in web application stacks versus trying to defeat well-built network and perimeter security. With myriad numbers of vulnerabilities and many different techniques - including SQL injection, Cross Site-Scripting, Google Hacking, Buffer Overflow, Remote Code Execution - there is no shortage of options for savvy attackers. In fact there have been over 4,000 vulnerabilities identified in the first 9 months of 2006 and Web flaws made up the three most common.

Selecting a system to protect web applications

Once any potential web application vulnerabilities have been identified, the ultimate solution is to fix the vulnerabilities in the web application source code itself. However, this can put you at risk of an intrusion because application fixes can often require:

Defense-in-depth is a common security strategy that promotes the use of multiple protection techniques to mitigate the risk of one component being compromised or rendered ineffective. Although web applications rely on patch management for protection from software flaws, penetration testing and publicized breaches regularly show that these applications have vulnerabilities that can be readily exploited for extended periods of time.

When vulnerabilities exist and patching is not an immediate option, there are three main types of technologies that can be used as compensating controls to protect web applications:

Your next steps

Web applications are increasingly vulnerable and protecting them requires a system that can both ensure compliance today and meet the evolving needs of an organization for tomorrow. To meet the challenge, organizations should continue to be diligent by regularly performing network- and application-level vulnerability scanning and penetration testing. In addition, organizations should select and deploy compensating controls that defend in-depth, provide rapid protection to close the vulnerability gap, with minimal impact on operations.

About the Author

Blake Sutherland, VP, Product Management, is responsible for managing the product life-cycle of Third Brigade's intrusion defense software. Third Brigade is exhibiting at Infosecurity Europe 2007, Europe's number one dedicated Information security event. Now in its 12th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,600 visitors from every segment of the industry. Held on the 24th - 26th April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

Comments

You must be logged in to comment.

Log into NMK

 Register
Lost Password?
Login

Newsletter

For the latest news from NMK enter your email address and click subscribe:


Subscribe