The maturity of today's Web applications is both a blessing and a curse. On the positive side, we're now able to do things with dynamic Web applications that seemed impossible in the static world of just a few years ago. On the negative side, we're now seeing Web application complexities introduce security vulnerabilities beyond our imagination. It's becoming increasingly difficult for information security professionals, developers, and quality assurance analysts to get their arms around these issues.
What can you do to minimize security risks with rich Internet applications and in the cloud? It takes a reasonable and well-thought-out approach to do right. Figure 1 shows, in a nutshell, what you have to do:
Like any other ongoing business process, these are things you have to do on a periodic and consistent basis. Let's look at each of these areas more closely.
If you don't have the ear of the people who count then you'll be fighting a losing battle trying to secure your applications. Most importantly, you have to get management on board. If the people approving the budgets and writing the checks don't understand why application security is a business concern then you have a problem for nothing. Without monetary, human resource, cultural, and political support from the powers that be you might as well just rely on passwords and SSL to get you through (hint: that's not a good long-term solution). You may even need to get user buy-in especially when it comes to security controls requiring business process changes and potential usability issues. Also, depending on which side you're on (information security, development, or QA) you'll need to get your colleagues on board. Making sure everyone is on the same page working toward the same goals should be your main goal.
- Choose your tools
Just like you wouldn't use inferior programming languages or IDEs to develop your applications you can't afford to not have good security testing tools. Having the right Web security tools such as vulnerability scanners, proxies, and source code analyzers will make or break your Web application security efforts. There are tons of options available but the following are ones that I've found to work well:
Don't rule out open source tools -- especially the Web proxies I list above – but know that, by and large, you're going to get what you pay for.
Run automated scans
Web vulnerability scanners are absolutely essential for finding both the low-hanging fruit as well as the complex input validation flaws such as XSS and SQL injection that would otherwise be impossible to uncover. Just know that you have to run the scanners often and multiple scanners are usually required to find everything that matters.
Perform a manual analysis
Automated scanners can only find so much. A sharp human eye and manipulative ethical hacking techniques are essential for finding all the "other" flaws that vulnerability scanners aren't smart enough to detect. Look for things like login mechanism weaknesses, application logic problems, and privilege escalation via session manipulation.
Check source code
Once you've completed your vulnerability scanning and manual analysis a nice way to wrap things up is to look at the actual source code. Some analyzers look at raw source code while others perform binary analysis that mimics real-world execution. Both are very good at finding things that you'd be hard-pressed to find otherwise.
Fix what you've found
Once you find where the weaknesses are, take the necessary steps to plug the holes. Sadly, this step is skipped or not done properly and the application vulnerabilities live on. The only way you're going to produce better code, and thus, more secure Web applications is to learn from your mistakes and continually improve.
- Report to your stakeholders
Keeping management, auditors, regulators, customers, and business partners in the loop on what you're doing/finding/improving upon is a great way to get continued support for application security. It's also a great way to help create a competitive advantage for your business. People are going to ask "How secure is the application?" anyway so it doesn't hurt to be proactive and be able to provide the current security status when the time comes.
Complexity introduces weakness and oversight which, in turn, create security risks – all things we can't afford to take on in business today. Finding and fixing Web application flaws is becoming more difficult but it's not an insurmountable problem. If you approach it in a mature and methodical way you can find the issues that matter and move on. The method I discuss above has been proven successful time and again. Be it for best practice or compliance, it's simply a matter of choice.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic, LLC. He has over 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books, Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). He's also the creator of the Security On Wheels IT security audio books.