Smart It                                                                     Web-Application                              ...
Smart It     are readily available; rather, it’s the   believe that the risk associated        Understand the     product ...
amount of guidance available            security assessments, if imple-          as early as possible. Security ex-in stan...
Upcoming SlideShare
Loading in...5

Web application security from reactive to proactive


Published on

Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
For further details contact us:
044-42046028 or 8428302179.

Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Transcript of "Web application security from reactive to proactive"

  1. 1. Smart It Web-Application Security: From Reactive to© argus456 | Proactive John R. Maguire and H. Gilbert Miller, Noblis M any organizations Conspicuously absent in this The Ignore-then-Fix-It bring security to the process is any specific consider- Cycle forefront of Web- ation for the application’s secu- Most organizations approach Web- applications design rity. Yet organizations can’t afford application security in a counter- only after an incident occurs. to let such scenarios persist, par- productive cycle: During design, The result is generally an expen- ticularly in light of the trend of they largely ignore it or address it sive, knee-jerk reaction to security increased attacks made clear in ineffectively. When security inci- problems that might have been the “Symantec Global Internet dents occur, not only is security avoided with intelligently planned Security Threat Report: Trends suddenly a top concern, but man- controls. for 2009” (Symantec white paper, agement must find someone to Apr. 2010). contain the damage and fix its root A Typical Scenario In helping clients assess cause. Because no one has pro- The typical Web-application de- application-layer vulnerabilities, actively sought application-security velopment scenario goes some- Noblis has found that organiza- training or put a process in place thing like this: Decision makers tions often don’t protect their ap- to find such problems, the best the see a business opportunity to plications because they don’t fully organization can do is hope that provide a service via the Web, so understand how popular secu- the scale of the incident is small. they assemble a design team. The rity controls, such as firewalls and More often than not, the task of team produces a design that re- vulnerability scanning, relate to preventing and mitigating attacks flects the business requirements the application layer. An analysis falls heavily on the administra- and passes it to Web developers based on this incomplete knowl- tor or the application’s develop- and programmers, who race to edge can’t provide an accurate risk ers, who are already trying to meet deliver the system on time and assessment. constantly evolving business pri- within the budget with limited Solutions and guidelines are orities. When incidents occur, resources. The nearly complete readily available, but managers security eventually becomes their system might then undergo must know what questions to ask second full-time job, and without final user-acceptance testing to use such aids effectively. Initial additional resources, they’re forced and quality assurance to ensure steps can be as simple as imple- to juggle their competing roles. it meets the stated business re- menting a policy for third-party The security of newly designed quirements. Once the application vulnerability assessments at the applications thus receives little passes those tests, it’s declared application layer. A trained expert attention until the next incident is complete and is pressed into pro- can also help set up a process for encountered, and the ignore-then- duction as quickly as possible so implementing solutions during fix-it cycle begins anew. the organization can realize its application design, thus building This failing isn’t caused by a lack gain. in security measures. of resources or solutions, which 1520-9202/10/$26.00 © 2010 IEEE Published by the IEEE Computer Society 7
  2. 2. Smart It are readily available; rather, it’s the believe that the risk associated Understand the product of the management mind- with compromise will be mini- Application Layer set. Even managers with websites mal. Unfortunately, they can’t see The first step in reversing the that are considered to be at greater that they’ve failed to imagine the trend of compromised websites is risk of attack—such as financial, full extent of potential problems. to understand why controls that government, and e-commerce sites— Consequently, they’re reluctant operate below the application layer simply aren’t putting enough con- to invest in measures beyond can’t protect the application. trols into their design, develop- scanning, which provides only The OSI layers operate inde- ment, and operational processes to minimal vulnerability detection. pendently, so if an attacker exploits avoid serious security incidents that Regardless of the decision mak- a weakness in software running originate at the application layer. ers’ beliefs or level of awareness, at layer 7, controls intended to the organizations they represent secure the system’s lower layers Uninformed Risk Analysis clearly have a responsibility for the won’t prevent the attack. Thus, a Resistance to proactively imple- information systems under their packet-filtering firewall at layer 3 menting application-layer security control. This idea is paramount in won’t prevent an attack targeting often stems from the perceived compliance legislation such as the a publicly available Web applica- expense of the process and the Sarbanes-Oxley Act of 2002 (www. tion, nor will a vulnerability scan- idea that many decision makers, the Health Insurance ner configured to find weaknesses view risk as a natural part of doing Portability and Accountability at lower layers effectively identify business. The traditional choices Act (, and problems at higher layers. are to avoid, reduce, transfer, or the Federal Information Security accept the identified risk. Management Act of 2002 (http:// Become Proactive But if risk identification is un- The second step is to become pro- reliable, then the decision mak- More generally, it falls within the active instead of reactive, which ers aren’t sufficiently informed to IT community’s expected norms means performing a vulnerability make such choices. For example, of behavior, which apply to every assessment at the application layer one highly significant cost that organization—whatever the na- to identify problems. tends to be overlooked is the ture of its Web applications or un- The recommended approach is potential reputation loss from a derlying business. to bring in a neutral third party security incident. The details of how to address specifically trained in securing Another commonly unfore- application risk will ultimately de- Web applications. However, even a seen factor is that the victims of pend on the organization’s busi- simple assessment or an automated an attack can extend well beyond ness requirements and the amount scan against a reliable checklist of the organizational boundary. For of risk it’s comfortable with. How- the most common vulnerabilities example, attackers can steal cus- ever, any website could be vulner- is better than nothing. This will tomer data and use it for fraudu- able to attack. An organization help identify problem areas so lent purposes (as in identity theft). shouldn’t assume that its website staff can describe each problem’s In other scenarios, they can sub- is exempt because it doesn’t pro- potential impact and recommend vert the application to carry out cess financial transactions or store a mitigation strategy. phishing or other attacks on un- personally identifiable informa- Realistic expectations are also related third parties (as in mal- tion. Attackers have countless rea- important. At most, an assessment ware distribution). Informed risk sons for compromising an asset. can provide insights into the prob- analysis therefore must involve a They might use the asset as a foot lem areas and the effort required to mechanism not only to detect vul- in the door for a deeper attack or address them; nothing will com- nerabilities but also to accurately simply as a mechanism for distrib- pletely attack-proof a site. However, determine who or what the actual uting malware. a policy for periodically assessing targets of attacks might be and to an application’s security can find more accurately forecast potential Reversing the Trend and remove vulnerabilities before losses if such attacks occur. At the heart of ineffective Web- they become security incidents. This short-sightedness is rooted application security is a funda- in a larger problem that some have mental misunderstanding of avail- Use the Standards called a failure of imagination. able controls and which layers of The third step is to implement Managers accept their incomplete the Open Systems Interconnection readily available standards, guide- security assessment because they (OSI) protocol stack they protect. lines, and best practices. With the8 IT Pro July/August 2010
  3. 3. amount of guidance available security assessments, if imple- as early as possible. Security ex-in standards documents, organi- mented properly, the control can perts should participate directlyzations have little excuse not to improve the application’s overall throughout—from the drawingconduct at least a cursory check security posture. We advise bolt- board through production.for application vulnerabilities. ing additional layers of security WSeveral software vendors sell onto an application that incorpo- eb-application devel-automated application-layer vul- rated security from the very first opment is a complexnerability scanners (for a list of blueprints. The trick is to put the area with many simul-vulnerabilities, see the Open Web correct control in place in the right taneous activities, each of whichApplication Security Project’s Top way. Security vendors often inflate presents an opportunity to intro-Ten Issue List at their products’ abilities, making it duce exploitable vulnerabilities.index.php/Category:OWASP_Top_ easy for managers to underestimate The de facto security measure is toTen_Project). the full cost of the control once it’s focus on nearly everything but the Managers are naturally attracted in place. For example, many man- application itself. Here’s a soberingto such solutions because automa- agers underestimate the staff hours thought for all managers respon-tion is a straightforward and easily associated with running the tools, sible for Web applications: With-understood concept. Automated reviewing the results, and taking out proactive consideration fortools can be an integral part of appropriate actions. the application’s security, attackersan overall security-assessment can bypass nearly all lower-layerprocess, but they can’t replace Designing In security controls simply by usingthe experience of a trained eye; The design-in approach aims to the application in a way its devel-an expert can assess and qualify identify potential problem areas opers didn’t envision. The result isrisks that tools can’t. Managers as early as possible—when they’re often the total compromise of thetempted to adopt a scanner-only far less expensive to fix—and then information system’s confidential-approach should think again— assist in designing them out rather ity, integrity, or is a process, not a product. than trying to patch them later. Organizations must ensure the In this more proactive ap- security of their Web applications,Implementation Choices proach, a security expert joins the not only to protect their invest-Organizations have two choic- project team at the start and ac- ment and reputation but also toes when implementing Web- tively participates during all proj- remain accountable to the ap-application security: bolt security ect life-cycle stages. Early on, the plications’ users. By not address-onto a completed application or expert critiques the design. Then, ing vulnerabilities proactively anddesign it in from the beginning. toward the middle of the project, early on, organizations can leave the expert might perform code re- themselves open to devastatingBolting On views. Finally, toward the project’s consequences. And with guidanceAny security mechanism added end, he or she might help the team and expertise readily available,to a completed Web application prepare for certification activities. such a gamble would seem to be ais a compensating control. Other risk not worth taking.than simple neglect, there could Cost Trade-offsbe other reasons why bolting on Fundamentally, security is a busi- John R. Maguire is a manager at Nob-security is an organization’s only ness decision. Fixing security lis and a credentialed Computer Infor-choice. For example, if an organi- vulnerabilities costs money—how mation System Security Professional. Hezation purchases a closed-source much generally depends on when received a BS in decision sciences andcommercial-off-the-shelf product the issues are identified. management information systems fromwhose company subsequently On the surface, incorporating George Mason University. Contact himfolds, then it might have no other security from the beginning ap- at to mitigate a new-found vul- pears to be the more expensivenerability in the product. In this option, but in practice it often H. Gilbert Miller is a member of ITcase, the organization could bolt ends up being less costly. For most Professional’s advisory board and cor-on an intrusion-prevention sys- organizations engaged in Web- porate vice president and chief technol-tem to inspect packets at the application development, the ideal ogy officer at Noblis. He received a PhDapplication layer. approach is to introduce security in engineering and public policy from Although no such measure can as a separate and distinct project Carnegie Mellon University. Contact himreplace proactive and periodic role and assign team members at 9