Web Application Threats Are Evolving. Are Your Security Efforts Keeping Pace? Today, Web application security threats are not only becoming more abundant than ever, but also more difficult to detect, and more complex to solve. Many organizations are responding to these unique vulnerabilities with traditional network security approaches. However, sophisticated Web applications threats require a more sophisticated security strategy. What’s worked in the past won’t necessarily work today; and what’s more, Web application security requires a comprehensive solution, not simply a series of a la carte provisions. For detailed steps toward improving your Web application security strategy, download the VeriSign® Enterprise Security Services white paper, Best Practices That Improve Web Application Security.
White Paper
Best Practices That Improve
Web Application SecurityWhite Paper
Contents + Advanced Application Threats, New Vulnerabilities 3Application-Layer Vulnerabilities 3Underlying Sources of Vulnerability 4+ Going Beyond PCI Compliance 5+ Best Practices That Improve Web Application Security 5Understand the Threat Profile 6Implement a Holistic Control Model 6Develop a Programmatic Approach 6Build Security into the Software Development Lifecycle (SDLC) 7Implement a Web Application Firewall or Other Mitigating/Compensating Control 7+ VeriSign® Enterprise Security Services- A Sustainable, Programmatic Approach to Web Application Security 8+ For More Information 10White Paper
"Forrester estimates that Web applications have proliferated as organizations move sensitive data, intellectual between half and three-quarters property, business processes, and transactions to their Web sites to allow rich interaction of all vulnerabilities reported with business partners, customers, and employees. By enabling these dynamic exchanges, to the National Vulnerability web applications reduce operational costs, create new channels for revenue, strengthen Database in 2007 belonged to web applications." branding, and meet customer demand for "anytime, anywhere" services. At the same time, web applications may expose organizations to significant risk if they are not properly (Wang, Chenxi. Inquiry Spotlight: protected.Application Security, Q4 2008, Forrester, October 2008.) Although some organizations have implemented security measures to address application security requirements in the Payment Card Industry (PCI) Data Security Standard, many organizations are recognizing the need to develop additional expertise and capabilities that focus specifically on protecting web applications, servers, and databases. VeriSign® Enterprise Security Services advocates a programmatic approach that systematically addresses all facets of web application security, including convergence with non-web applications. This approach revolves around a number of critical practices, which are discussed here. Implementing these practices helps organizations improve risk management, compliance, and software development, and create a sustainable, scalable program that improves efficiencies and minimizes the burden on in-house resources.
+ Advanced Application Threats, New Vulnerabilities Threats to web applications come in multiple forms and are evolving rapidly. They are becoming more difficult to detect (e.g., botnets that execute commands remotely and camouflage their origin) and more targeted (e.g., focusing on point-of-sale [POS] applications) than earlier forms of attack. In addition, attacks are focused on the application layer of the OSI reference model, so traditional relied-upon controls are not equipped to thwart them. And while signature-based controls can help detect or prevent some network-layer attacks, they do not enable organizations to identify misconfigured, poorly designed, or vulnerably coded applications.
Application-Layer VulnerabilitiesApplication-layer attacks target vulnerabilities in web application design, configuration, or code. Application-layer attack vectors include transaction form fields and functions and, for Web 2.0 applications, the dynamic content delivered to clients by the web application. If unsecured, these resources can be attacked by any entity with access to the web application. Vulnerabilities are usually code-related and include cross-site scripting, injection flaws, buffer overflows, and un-validated input. (For a discussion of the most prevalent forms of code-related vulnerabilities and threats, see CWE/SANS TOP 25 Most Dangerous Programming Errors, http://www.sans.org/top25errors and the Open Web Application Security Program [OWASP] Top 10, http://www.owasp.org/index.php/Top_10_2007). These vulnerabilities allow an attacker to execute web application attacks such as phishing, identify theft, data theft and destruction, malicious code execution, botnets, and rootkits. These attacks have financial, legal, compliance, and branding repercussions that can undermine the most carefully built organizations.
3White Paper
"Based on a survey of 10,000- Underlying Sources of Vulnerabilityplus workers worldwide Evolving technology, changes in the business landscape, and lax process... [download for more]
