Thursday, May 8, 2008

A Risk Management-Based Approach to Web Application Security

At the end of the day, it all comes down to the Software Development Life Cycle (SDLC).  All vulnerabilities, big or small, can be traced back to a few lines of code written by a Developer who was hoping to achieve a bit of functionality.  According to Gartner, “By 2009, 80 percent of companies will have suffered an application security incident”.  The significance of this statement is astounding, due to the fact that most organizations rely heavily on their web presence for daily e-survival. 

While the majority of organizations have yet to merge their development and security processes, the move towards producing secure Web Applications is absolutely critical.  Unfortunately, most Development, Quality Assurance and Information Security teams operate in isolated communities and are rarely driven by the sentiment that security is fundamental for all parties involved.  Ultimately, the goal for any organization is to exist with a strong, well-defined process to the SDLC; however, development of such a program can be quite overwhelming - even for the most mature organizations.

Risk Management provides a structured process for identifying, assessing and quantifying risk for an environment.  By applying a Risk Management-based approach, your organization will be able to kick-start its program and achieve success through a more palatable set of goals.

Through this approach, several significant variables are quantified in an effort to understand the threat against your Web Application infrastructure.  These variables include:

  1. Asset Value (AV)
  2. Vulnerability Severity (VS)
  3. Likelihood of Threat (TH)
  4. Applied Countermeasures (CM)
  5.  Weighted Value for severity of vulnerabilities (WV)

The end-result of this program is to achieve an overall Risk Score (RS), which will aid in measuring compliance for your security policy and posture.  

Friday, May 2, 2008

Web Security 101

Over the past few weeks, I've read several posts from folks around the industry on how to secure web applications and I've read many interesting viewpoints. In my opinion, there are seven basic ideas that I believe any security professional should carry with them for web applications.

  1. Test Everything!

    The first concept for every security professional is to test everything. There is no amount of testing that can be accomplished -- test and simply keep testing. Just because you ran one scan with some tool and reviewed the results....testing should not end. What was once a very secure application could absolutely be compromised tomorrow.

  2. Secure the foundation

    Web Applications are nothing more than applications running on an Operating System so as such, it is still absolutely critical to secure the environment that they live in.

  3. Encrypt your data

    Use of data encryption may be utilized in a number of areas within your architecture. Whether you are using SSL certificates to data encryption on the database to the file system. I'm not sure I have the ability to recommend the "type" of encryption, but use of encryption is highly recommended.

  4. Input Validation

    With Application Security vulnerabilities, the majority of the vulnerabilites lie with poor input validation. Using input validation with all areas of the application is absolutely critical. If you have the ability to discover tools that will perform Input Analysis on your application prior to going live, I would highly recommend employing them. For those not familiar with Input Analysis techniques, these are solutions that will search for any component of your application where input is taken in (controls, form fields, etc) and assists with the validation of those points.

  5. Strong Authentication

    Authentication is key to applications and the use of strongly authenticated users or sessions is necessary. If strong authentication is not always an option, at the very least, please encourage your users (or security policy) to use strong passwords.

  6. Control Access to the Application

    As discussed in our AJAX post, validation of data is a very difficult aspect of security around your web application. The idea that we are able to validate every single request to your web application is sometimes difficult, however, it's my recommendation to your best with this.

  7. Session Management

    Session Management is yet another very serious aspect of securing your web application. Points of weakness for many web applications is found when developers make some great attempt to start creating their own session management schemes.  Three words that I have for you: 1) Cryptographically Strong, (2) Random, (3) strong protection.

Again, these are only a few thoughts that I'm throwing around here ....there are a thousand other things that could be considered so please don't consider this the almighty list [no flames, please].