Enterprises are responding to new threat on communication protocols by hardening Web applications, and they are increasingly turning to Web application security assessment tools to improve the security of their applications. This report examines why high accuracy is critical to the effectiveness of the tools, and it discusses how Cenzic Hailstorm addresses this problem.
I D C V E N D O R S P O T L I G H T
Ap p l i ca ti o n Se c ur i t y: N o Ro o m f or F al s e P osi ti ves July 2006 Adapted from Worldwide Security and Vulnerability Management Software 2005–2009 Forecast and Analysis: Taking Control of the Security Environment by Charles J. Kolodgy and Rose Ryan, IDC #34604
Sponsored by Cenzic The Internet continues to be an agent for business operation. More and more people and organizations are using the Internet for critical business transactions; however, this success becomes its own worst enemy. As the value of transactions occurring over the Internet increases, so too do security threats. Attackers have targeted communication protocols and operating systems as their avenues for exploitation. However, many of those avenues are protected with network defenses, so motivated attackers have turned their attention to Web-based business applications. These custom applications, which generally require customer interaction and which contain or access critical data, are now being attacked and exploited. Enterprises are responding to this new threat by hardening Web applications, and they are increasingly turning to Web application security assessment tools to improve the security of their applications. One of the key requirements for the security code review tools is high accuracy. This document examines why accuracy is critical to the effectiveness of the tools, and it discusses how Cenzic Hailstorm addresses this problem.
Introduction: How Secure Are We?
Fear of data exposure or loss from a successful Web site hack leads to sleepless nights. Many times, Web sites are put into production for business needs before they have been fully vetted. IT professionals face this decision all the time because information technology is an integral component of the business environment. A corporate Web site transforms the landscape in which businesses can provide wide-open, 24 x 7 admission to their business applications.
The nature of Web technology contributes to the fear security professionals experience. Today's Web sites are no longer static, informational electronic brochures; instead, they are multifeatured and dynamic showcases. Web applications have become ubiquitous and can generate dynamic Web pages based on input and databases. Most Web servers provide interfaces that are used to spawn and communicate with Web applications. Interface code, such as the common gateway interface (CGI), links an HTTP request (normally sent from a browser) with the executing application. It specifies which application should be invoked, the parameters/data passed to the application, and the mechanism used to provide the Web server with the dynamically generated page.
The expansion of user-enhanced Web sites has allowed the Internet to become an engine for improved business, but it's also the root of a security problem. Accepting input from users, which has created the dynamic Web, is fraught with danger. Because CGI allows for the execution of programs that process arbitrary data sent by a user, the danger exists that malicious commands will be directed through the CGI scripts. It is critical that only input in a format the application expects and can process be accepted.
IDC 489 Web Application Attack Mechanisms
Enterprises have spent billions of dollars to protect their information infrastructures. Confronted with steadily maturing network layer defenses, attackers are increasingly turning their attention to the application layer and the corresponding business applications that are running. The dynamic nature of Web applications offers users unique experiences, but the technology that makes a Web site so interesting also has a dark side. People with malicious intent can turn this same technology against the enterprise to cause considerable damage to a company's bottom line and reputation.
Nearly one in five businesses, both large and small, report that attackers have exploited flaws in Web applications. It's relatively easy, as many attacks are simple to launch. Anyone with a browser can unleash them. Other types of attacks require intimate knowledge of the host server and underlying applications. All are potentially damaging to an organization's Web presence. The following are some of the basic attack types employed against Web sites and Web applications: ! Session management. A session is hijacked for ma... [download for more]
