Protecting Web applications a paradox for security professionals

Application security can be difficult to implement. Using the right tools and writing secure programs are good places to start.

IT security used to be an issue of keeping the doors to the computer room locked. Then securing networks and systems became an issue.

The next shift in security will be preventing the intrusion of Web-based applications, according to Charles Kolodgy, research manager, Internet security software at IDC. Kolodgy recently wrote a report on the subject, "Web Intrusion Protection: Defending Web Servers and Applications."

To back that contention up, IDC is estimating the market for Web intrusion prevention products to expand from $65 million last year to $690 million by 2006. These products specifically protect Web-based applications.

Web applications pose a paradoxical challenge for security. These applications are hosted on servers but are available to remote users via the hypertext transport protocol (HTTP). By definition, these applications have to be accessible. Proper security requires allowing just the right amount of openness.

Attackers, meanwhile, have a host of arrows in their quiver to attack applications. Exploiting buffer overflows vulnerabilities in applications can allow them to gain control of the system. Another way is cookie poisoning, which can allow an attacker to get information from a server by modifying the session's cookie.

Application security fundamentals
Basics of application security 

How things break: Securing your software 

Web application firewalls critical piece of the app security puzzle

Attacks on Web applications lead to defacement of Web sites or using Web apps as a way to gain backend access to systems, Kolodgy said. For example, an attacker could use a Web application as a way to break into the system. He could then change price information in the back end database so he could buy a lot of goods inexpensively.

Web defacements are more a nuisance than a danger. "There is not a lot of cost associated with them per se but there is potential damage to the brand and having to take the Web site down," he said.

"The real issue is how to be out there but securely," Kolodgy said.

IDC has identified several categories of Web intrusion prevention applications including:

Many aspects of Web intrusion prevention are pretty self-explanatory. Application shields (sometimes called application firewalls) are a newer technology. Essentially, they protect Web based applications.

Currently, no vendor offers a product that includes every facet of Web intrusion prevention, Kolodgy said. However some are bundling a couple aspects of it such as application shields with vulnerability assessment.

The whole issue of Web intrusion prevention begs a question: Why aren't Web developers more security conscious in the first place? The truth is developers are more focused on creating the functionality that customers want rather than the security of the products, Kolodgy said.

Kolodgy sees some parallels between Web intrusion prevention and antivirus protection. It used to be that companies slapped antivirus at one point in the network and thought they were safe. Now, companies have antivirus at the desktop, gateway and server levels. "They realized security is much more specific," he said.

This tip originally appeared on SearchSecurity.com
This was first published in December 2005

Dig deeper on Building security into the SDLC (Software development life cycle)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close