As businesses grow increasingly dependent upon Web applications, these complex entities are becoming more difficult to secure. Most companies equip their Web sites with firewalls, Secure Sockets Layer (SSL), and network and host security, but the majority of attacks are on applications themselves.
Web application security managementWhite paperJanuary 2008
Understanding Web application
security challenges.Understanding Web application security challenges.Page
As businesses grow increasingly dependent upon Web applications, these com-Contents plex entities grow more difficult to secure. Most companies equip their Web sites with firewalls, Secure Sockets Layer (SSL), and network and host security, but 2 What makes Web applications the majority of attacks are on applications themselves - and these technologies vulnerable? cannot prevent them.3 Typical Web application attacks4 Table 1: Common types of Web This paper explains what you can do to help protect your organization, and it application attacks discusses an approach for improving your organization's Web application security.6 Basic guidelines for providing security for Web applications What makes Web applications vulnerable?7 Understanding the Web 1In the Open System Interconnection (OSI) reference model, every message application lifecycle travels through seven network protocol layers. The application layer at the top 9 Security testing throughout the includes HTTP and other protocols that transport messages with content, application lifecycle including HTML, XML, Simple Object Access Protocol (SOAP) and Web services.10 Table 2: Relative cost of error fixes, based on time of This paper focuses on application attacks carried by HTTP-an approach that discovery traditional firewalls do not effectively combat. Many hackers know how to make 10 Considering the right testing HTTP requests look benign at the network level, but the data within them is approaches potentially harmful. HTTP-carried attacks can allow unrestricted access to 10 Table 3: Web application databases, execute arbitrary system commands and even alter Web site content.security testing approaches12 Four strategic best practices for protecting Web applications15 Table 4: Inception-defining security requirements16 Table 5: Elaboration and construction-modeling and coding for security measuresUnderstanding Web application security challenges.Page
Without governance measures to manage security testing throughout the applica-Highlights tion delivery lifecycle, software teams can expose applications to HTTP-carried attacks as a result of:
. Analysts and architects viewing security as a network or IT issue, so that only a few organization security experts are aware of application-level threats.. Teams expressing application security requirements as vague expectations or negative statements (e.g., You will not allow unprotected entry points) that make test construction difficult.. Testing application security late in the lifecycle-and only for hacking attempts.
Typical Web application attacksTo protect Web applications against A Web application's specific vulnerabilities should dictate the technology you attacks, enterprises should employ use to defend it. Figure 1 shows many points within a system that might require generic preventive approaches as protection. Often, it is best to employ generic countermeasure concepts first well as targeted technologies. to help ensure that you choose the technology best suited to your needs rather than one that claims to counter the latest hacking technique.
Providing secure Fine inputAuthenticating configuration validation Protectingusers Handling sensitive dataexceptionsDenial ofservice Web ApplicationConcurrency server serverllaw Application Applicationer DatabaseiF
Protectingsensitivedata Auditing andloggingPreventing Preventing Coarse input Authorizingparameter session validation usersmanipulation hijacking
Figure 1: Web application security concernsUnderstanding Web application security challenges.Page
Table 1 shows common threats and preventive measures. However, specific Highlights threats to your application may be different.
Table 1: Common types of Web application attacksDescription Common causes Preventive measuresEnterprises can employ multi- Impersonationple preventive measures against Typing a different user's . Using communications- Use stringent authentication Web application breaches caused credentials or changing based authentication to allow and protection for credential by impersonation, tampering a cookie or parameter access to any user's data information using:to impersonate a user or and repudiation. . Using unencrypted . Operat... [download for more]