We take a look at individual security capabilities required for complete Web application security.
Network firewalls provide network layer access control and form a barrier against the spread of worms from employee desktops to internal Web servers. However, they must allow all HTTP and HTTPS traffic to Web servers. Over time, the hacking community has learned to use this fact to their advantage by embedding attacks into Web traffic. Code Red and Nimda are examples of Web worms that easily traverse network firewalls via HTTP protocol-compliant communications. Similarly, SQL injection and cross-site scripting represent two targeted Web application attacks (among many) that are ignored by network firewalls since they comply with network and HTTP protocols.
Intrusion prevention systems (IPS)
IPS look at the contents of a packets payload and compare it to a list of known software vulnerabilities. IPS technology may also enforce protocol restrictions to protect against known protocol-related vulnerabilities in commercial software. Unfortunately, such systems are ineffective against attacks that target unknown vulnerabilities in customised code.
Solving application security issues requires a deep understanding of all the elements of the application and database, including URL parameters, cookies, form field inputs, and SQL queries, among others. IPS products do not track this application information and hence cannot detect session-based attacks such as cookie poisoning, cookie injection, and session hijacking.
Monitoring only solutions
Monitoring only (sniffer) products do not ensure complete protection from Web application attacks. These products may not block every attack that has been detected. Usually, these products use a TCP reset for blocking attacks. In some cases, the latency involved in sending the reset after the attack is detected allows certain attacks to reach the victim.
Web application vulnerability scanners
Web Application Vulnerability (AV) Scanners are tools used to automatically scan Web applications for potential vulnerabilities. Unfortunately, many vulnerabilities are only discovered during production run-time. Also, they do not alleviate or help reduce the time to production. Typically, there are multiple cycles of scanning, code fixes and testing with unscheduled rush fixes that are costly and potentially disruptive.
Application code review
Code review involves inspection of the code by an expert in security to identify and presumably correct programming flaws that result in security issues. While code review is a good idea and is consistent with coding best practices, it can entail significant ongoing personnel costs, loss of application deployment flexibility and resource allocation issues. Applications, not forgetting attack methods, change frequently, so the target of code review is a moving target, and new vulnerabilities can be introduced at any time. So there may be multiple code reviews and code fix-testing cycles for every application product release. A recent White Hat study showed that the majority, nearly two thirds, of vulnerabilities remain unfixed and it takes nearly three months for even urgent issues to be remediated. Furthermore, if an organisation is using third-party or legacy applications, the source code often will not be easily available or easily understood which makes the likelihood of quickly fixing the discovered vulnerabilities very low.
Sign up for Computerworld eNewsletters.