Web Application Security: The Overlooked Vulnerabilities

White paper Web Application Security: The Overlooked Vulnerabilities Abstract Are you adequately protecting the web applications that your business depends on? Software flaws are rapidly becoming the vulnerabilities of choice to attackers determined to exploit mission critical systems. However, it isn't just vulnerabilities in the web applications that organizations need to be concerned about. Vulnerabilities across the entire enterprise application stack-including web and application servers, databases and operating systems-that form the foundation for web applications, also need to be addressed. Publicity around breaches and regulatory pressures are pushing web application security further in the spotlight. Traditional approaches to web application security, including web application firewalls, and web security modules, can be costly and complex, and do not ultimately protect the entire application stack. Host-based intrusion defense with deep packet inspection is a new approach that addresses the need of organizations to shield vulnerabilities across the entire application stack.
Table of Contents
1. Web Applications: An attractive target .........................................................................................1 2. Web applications are increasingly vulnerable ..............................................................................2 3. Regulations and legislation rule the new security agenda ...........................................................4 4. Selecting a system to protect web applications............................................................................5 5. Your next steps.............................................................................................................................8
1. Web Applications: An attractive target How do you cost effectively defend web applications from attack? Your organization relies on mission critical business applications that contain sensitive information about customers, business processes and corporate data. Moving away from proprietary client/server applications to web applications gives you a simpler, cost-effective, highly extensible delivery platform. These applications are more than a valuable tool to power your business operations; they are also a valuable and vulnerable target for attackers. Web applications are increasingly the preferred targets of cyber-criminals looking to profit from identity theft, fraud, corporate espionage, and other illegal activities. The impact of an attack can be significant, and include costly and embarrassing service disruptions, down-time, lost productivity, stolen data, regulatory fines, angry users and irate customers. Beyond preserving the corporate brand, federal and state legislation and industry regulations are now requiring web applications to be better protected. As you take action to protect web applications in a timely and effective manner, you must balance the need for security with availability, performance and cost-effectiveness. Protecting web applications requires both zero-day protection and rapid response with minimal impact to operations, and must be part of a defense-in-depth plan. Look to host-based intrusion defense systems to provide comprehensive security to proactively protect hosts, applications and sensitive data without impacting performance or changing system architectures.
© 2006, Third Brigade, Inc 1 www.thirdbrigade.com, 2. Web applications are increasingly vulnerable Rapid growth leads to emerging problems The number of corporate web applications has grown exponentially and most organizations are continuing to add new applications to their operations. With this rapid growth come common security challenges driven by complexity and inconsistency. New awareness into web application vulnerabilities, thanks to organizations such as the Open Web Application Security Project (OWASP), has helped organizations identify application security as a priority. But according to a 1June, 2006 survey , while 70 percent of software developers indicated that their employers emphasize the importance of application security, only 29 percent stated that security was always part of the development process. The overlooked vulnerabilities Unfortunately, it is not just application flaws that are leaving systems vulnerable. In addition to application issues, every web application relies on a larg... [download for more]