Tip

Security best practices for today's Web applications

 

    Requires Free Membership to View

The maturity of today's Web applications is both a blessing and a curse. On the positive side, we're now able to do things with dynamic Web applications that seemed impossible in the static world of just a few years ago. On the negative side, we're now seeing Web application complexities introduce security vulnerabilities beyond our imagination. It's becoming increasingly difficult for information security professionals, developers, and quality assurance analysts to get their arms around these issues.

What can you do to minimize security risks with rich Internet applications and in the cloud? It takes a reasonable and well-thought-out approach to do right. Figure 1 shows, in a nutshell, what you have to do:


Like any other ongoing business process, these are things you have to do on a periodic and consistent basis. Let's look at each of these areas more closely.

  1. Obtain buy-in
    If you don't have the ear of the people who count then you'll be fighting a losing battle trying to secure your applications. Most importantly, you have to get management on board. If the people approving the budgets and writing the checks don't understand why application security is a business concern then you have a problem for nothing. Without monetary, human resource, cultural, and political support from the powers that be you might as well just rely on passwords and SSL to get you through (hint: that's not a good long-term solution). You may even need to get user buy-in especially when it comes to security controls requiring business process changes and potential usability issues. Also, depending on which side you're on (information security, development, or QA) you'll need to get your colleagues on board. Making sure everyone is on the same page working toward the same goals should be your main goal.

     

  2. Choose your tools
    Just like you wouldn't use inferior programming languages or IDEs to develop your applications you can't afford to not have good security testing tools. Having the right Web security tools such as vulnerability scanners, proxies, and source code analyzers will make or break your Web application security efforts. There are tons of options available but the following are ones that I've found to work well:

Web vulnerability scanners
Acunetix Web Vulnerability Scanner
N-Stalker
NTOSpider
WebInspect

Web proxies
Burp Proxy
Paros Proxy
WebScarab

Source code analyzers
Checkmarx
SecurityReview

Don't rule out open source tools -- especially the Web proxies I list above – but know that, by and large, you're going to get what you pay for.

  1. Run automated scans
    Web vulnerability scanners are absolutely essential for finding both the low-hanging fruit as well as the complex input validation flaws such as XSS and SQL injection that would otherwise be impossible to uncover. Just know that you have to run the scanners often and multiple scanners are usually required to find everything that matters.

     

  2. Perform a manual analysis
    Automated scanners can only find so much. A sharp human eye and manipulative ethical hacking techniques are essential for finding all the "other" flaws that vulnerability scanners aren't smart enough to detect. Look for things like login mechanism weaknesses, application logic problems, and privilege escalation via session manipulation.

     

  3. Check source code
    Once you've completed your vulnerability scanning and manual analysis a nice way to wrap things up is to look at the actual source code. Some analyzers look at raw source code while others perform binary analysis that mimics real-world execution. Both are very good at finding things that you'd be hard-pressed to find otherwise.

     

  4. Fix what you've found
    Once you find where the weaknesses are, take the necessary steps to plug the holes. Sadly, this step is skipped or not done properly and the application vulnerabilities live on. The only way you're going to produce better code, and thus, more secure Web applications is to learn from your mistakes and continually improve.

     

  5. Report to your stakeholders
    Keeping management, auditors, regulators, customers, and business partners in the loop on what you're doing/finding/improving upon is a great way to get continued support for application security. It's also a great way to help create a competitive advantage for your business. People are going to ask "How secure is the application?" anyway so it doesn't hurt to be proactive and be able to provide the current security status when the time comes.

Related Content:
Fixing four Web 2.0 input validation security mistakes
Web app security expert Kevin Beaver uncovers common and uncommon Web application input validation problems and discusses solutions.

How to get management on board with Web 2.0 security issues
Ways to get management buy-in for Web 2.0 security testing and quality assurance and to bolster application security before deployment are given in this tip.

Complexity introduces weakness and oversight which, in turn, create security risks – all things we can't afford to take on in business today. Finding and fixing Web application flaws is becoming more difficult but it's not an insurmountable problem. If you approach it in a mature and methodical way you can find the issues that matter and move on. The method I discuss above has been proven successful time and again. Be it for best practice or compliance, it's simply a matter of choice.

 


About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.


This was first published in March 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.