With the explosion of Internet-based commerce, companies are more vulnerable than ever to exploitation. While many different aspects of a corporate network are vulnerable to attack, Web application servers and the transitions they manage are prime targets of criminal hackers. Companies have many weapons in their security arsenal, but traditional testing of security controls, such as firewalls, is no longer sufficient to protect organizations doing business on the Internet. As a value-added reseller (VAR) or security consultant offering application security assessments, you can help your customers stay ahead of this evolving threat.
Application security assessments provide customers with invaluable insight to their state of Web security. By testing a site with the techniques and tools typically used by malicious users, you can provide customers with a list of prioritized vulnerabilities and technical recommendations to remediate them.
While best practice dictates putting databases behind a firewall to minimize the possibility of public access, Web applications require access by the Internet-using public. Traditional technical security controls, such as packet filtering firewalls, always allow traffic; this is a necessary condition for the site to work. Depending on the general architecture and purpose of the site, a user may or may not need to sign into an account prior to accessing the dynamic portion of the site. User logins are helpful by limiting access to parts of the site based on user credentials, but are not fool proof if the application server is flawed.
Over the last few years, techniques to attack Web applications have matured into a sophisticated niche within the hacker community. Knowledge of how HTTP DATA, POSTs and GETs work within form fields, Web proxies and SQL are all part of the knowledge base required to hack applications. Hackers who focus on applications use a permitted channel (tcp/80 and tcp/443) to access the site and bypass the traditional security controls. By manipulating what information goes to the application a hacker can force the application to do almost anything. More troubling is that in manipulating the application, the hacker can use the trusted relationship between the application server and the database to gain inappropriate access to sensitive information found on the site.
To complicate matters further, the security issues associated with Web application servers are beyond the skill set of many traditional network security engineering functions. The security flaws are usually attributed to poor code design within the application's compiled software and cannot be corrected directly. This is where an application security assessment conducted by a qualified VAR or consultant proves useful.
Come back for part two of this series where we'll explore the process of conducting a Web application security assessment.
About the author
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.
Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.
This was first published in October 2006