|
As businesses grow increasingly dependent upon Web applications, these com-plex entities grow more difficult to secure. Most companies equip their Web sites with firewalls, Secure Sockets Layer (SSL), and network and host security, but the majority of attacks are on applications themselves – and these technologies cannot prevent them.
This paper explains what you can do to help protect your organization, and it discusses an approach for improving your organization’s Web application security.
What makes Web applications vulnerable?
In the Open System Interconnection (OSI) reference model,1 every message travels through seven network protocol layers. The application layer at the top includes HTTP and other protocols that transport messages with content, including HTML, XML, Simple Object Access Protocol (SOAP) and Web services.
This paper focuses on application attacks carried by HTTP—an approach that traditional firewalls do not effectively combat. Many hackers know how to make HTTP requests look benign at the network level, but the data within them is potentially harmful. HTTP-carried attacks can allow unrestricted access to databases, execute arbitrary system commands and even alter Web site content.
Basic guidelines for providing security for Web applications
By using security-specific processes to create applications, software development teams can guard against security violations like those shown in table 1.Specifically, you can apply several basic guidelines to existing applications and new or reengineered applications throughout your process to help achieve greater security and lower remediation costs, such as:
Discover and create baselines: Conduct a complete inventory of applications and systems, including technical information (e.g., Internet Protocol [IP], Domain Name System [DNS], OS used), plus business information (e.g., Who authorized the deployment? Who should be notified if the application fails?). Next, scan your Web infrastructure for common vulnerabilities and exploits. Check list serves and bug tracking sites for any known attacks on your OS, Web server and other third-party products. Prior to loading your application on a server, ensure that the server has been patched, hardened and scanned. Then, scan your application for vulnerabilities to known attacks, looking at HTTP requests and other opportunities for data manipulation. And, finally, test application authentication and user-rights management features and terminate unknown services.
Assess and assign risks: Rate applications and systems for risk—focusingon data stores, access control, user provisioning and rights management. Prioritize application vulnerabilities discovered during assessments. Review organizational, industry and governmental policy compliance. And identify both acceptable and unacceptable operations.
Shield your application and control damage: Stay on top of known security threats and apply available patches to your applications and/or infrastructure. If you cannot fix a security issue, use an application firewall, restrict access, disable the application or relocate it to minimize exposure.
Continuously monitor and review: Schedule assessments as part of your documented change management process. When you close one out, immediately initiate a new discovery stage.
Understanding the Web application lifecycle
Shown in figure 2, the IBM Rational® Unified Process®, or IBM RUP®, solution delivers a widely used iterative process framework for developing Web applications based on industry best practices. The core phases of the framework (which may require two or more iterations to complete) are:
Inception: Establish a business case, scope and operational vision. Then, create an initial use-case model, project plan, risk assessment and project description, including core requirements, security requirements (such as clarification of security compliance and policies), constraints, features and prototype candidate architectures.
Elaboration: Refine your vision, address architecturally significant scenarios to establish a baseline architecture, and detail the use-case model. Then, create and test one or more prototypes to mitigate technical risks.
Construction: Develop detailed designs for specific components and their interactions with other applications, continuously tracking against requirements. Generate code and test components for performance, reliability and security—while tracking and resolving issues—and integrate tested compo-nents into a first release.
Transition: Deploy the application, train users and conduct beta testing to verify security and performance and validate the application against requirements. Continuously monitor performance, reliability and security as the application undergoes changes.
|
