Almost all businesses now have Web sites that provide information not only through their websites, but also with their customers through web apps, blogs, and forums. From an online retailer's interactive baby registry to an electronic trading website's investment calculator, or a software vendor's interactive support forum, businesses generate new Web applications every day to get information.
The rapid development of business-centric web interaction has also brought new information security threats, and the enterprise's previous static Web pages do not have these threats. These threats are primarily for Web applications, including supplemental Web servers, databases, and other support infrastructures.
In this article, we will discuss the most serious threats to Web applications and how security teams should protect applications.
The immediate threat to Web applications
Vendors such as Cenzic, Hewlett-Packard, Imperva, Veracode, Whitehatsecurity, and Verizon have all assessed the Web application threats facing today's businesses, and the two most common Web application threats are cross-site scripting (XSS) and SQL injection attacks. These two attacks have been around for years, but Web applications are still vulnerable to them.
Given the broad scope of both attacks and the rich range of attack tools, organizations must strengthen web application security to reduce the risk of attack. Although new Web application threats have emerged, most attacks are still exploiting these most basic vulnerabilities.
How to make Web applications more secure
Security teams can use basic methods to enhance the security of web applications, including improving Web application development and deploying new tools to help manage the new information security risks facing Web applications. These methods should be used in conjunction with, instead of being used alone, while other security controls are deployed.
Improving Web application development to improve the security of Web applications should be part of any software or security development lifecycle. There are a lot of resources in the Software Development Lifecycle (SDLC), such as those provided by Microsoft and the U.S. Department of Homeland Security Network Safety Service. The Open Web Application Security Project (OWASP) also provides development guidance, including DEVELOPMENTGUIDE2010, which discusses ways to secure Web application development. As part of the software development lifecycle, users may need to periodically review the most common threats faced by Web applications and periodically update the threat list. All of these techniques can be used to train developers to improve applications, ensure minimal security vulnerabilities, detect vulnerabilities faster, and fix vulnerabilities faster.
In addition, other important ways to mitigate Web application threats include deploying new tools to help manage Web application security. These tools may not be new tools in the real sense, but for many businesses, products such as Web application firewalls and Web application security scanners have never been taken into account because they are able to circumvent compliance requirements that govern the use of these products, Or because web threats have never been a major concern.
However, these and other related emerging Web defense technologies can successfully block Web application layer attacks and scan Web application vulnerabilities. Web application security scanners can be covered in your software development lifecycle testing phase, or as a stand-alone project to actively assess the security status of your Web application. Web application firewalls can check the network traffic that attacks Web applications and block the most common attacks. But Web application firewalls and Web application security scanners do not prevent or detect all attacks or vulnerabilities, and these tools need to be constantly updated to discover new threats.
These tools extend your existing security controls, but at the same time you should understand how the imminent threat bypasses many traditional security controls. For example, if you allow HTTP to go through port 80 to your firewall and back to your Web server, your firewall usually cannot determine whether the network traffic is legitimate HTTP traffic or if there are potentially malicious SQL code for SQL injection attacks. However, the Web Application firewall detects HTTP traffic and discovers and (in most cases) blocks most SQL injection attacks. Keep in mind that no single security tool or control can protect all enterprise Web applications, and a combination of Web application firewalls and Web security scans can provide solid protection against the most common XSS and SQL attacks.
Conclusion
Although new Web applications enable businesses to interact with customers to improve their relationships with customers, these Web applications also pose new information security risks. Traditional security controls themselves are often not able to withstand these Web application threats, but we can help mitigate the risks of these threats by extending traditional controls, incorporating Web application security into the software development lifecycle, and deploying new Web application Security tools. Companies that do not use these technologies or do not plan to do so should think carefully: these applications can increase their potential web security threats. Protecting Web systems from new threats has become an important and priority issue for today's enterprise information security programs
TechTarget China