How to mitigate Web application threats

Comments: How can enterprises mitigate web application threats? Almost all enterprises now establish websites on the Internet. They not only provide information through websites, they also interact with their customers through Web applications, blogs, and forums. From the interactive baby registry of online retailers, to the investment calculator of electronic trading websites, or the interactive support forum of software vendors, enterprises generate new Web applications every day to obtain information.
The rapid development of business-centered Web interactions also brings new information security threats, which are not present in previous static Web pages of enterprises. These threats mainly target Web applications, including complementary Web servers, databases, and other supporting infrastructure.
In this article, we will discuss the most serious threats to Web applications and how the security team should protect them.
　　Urgent threats to Web Applications
Vendors such as Cenzic, HP, Imperva, Veracode, Whitehat Security, and Verizon evaluate the Web application threats faced by enterprises today, the two most common Web application threats are XSS and SQL injection attacks. These two attacks have existed for many years, but Web applications are still vulnerable to them.
In view of the wide impact of these two types of attacks and a wide range of attack tools, enterprises must enhance the security of Web applications to reduce the risk of attacks. Although new Web application threats have emerged, most attacks still exploit these basic vulnerabilities.
　How to make Web applications more secure
The security team can adopt some basic methods to enhance the security of Web applications, including improving web application development and deploying new tools to help manage new information security risks faced by Web applications. These methods should be used together, rather than separately, and other security controls should be deployed.
Improving Web application development to improve Web Application Security should be part of any software or security development lifecycle. There are many resources in the software development lifecycle (SDLC), such as those provided by Microsoft and the Cyber Security Department of Homeland Security. The Open Web Application Security Project (OWASP) also provides a Development Guide, including the Development Guide 2010, which discusses the methods for developing secure Web applications. As part of the software development lifecycle, users may need to regularly check the most common threats faced by Web applications and regularly update the threat list. All these techniques can be used to train developers to improve applications, minimize security vulnerabilities, detect vulnerabilities faster, and fix vulnerabilities faster.
In addition, other important ways to mitigate Web application threats include deploying new tools to help manage web Application Security. These tools may not be really new tools, but for many enterprises, Web application firewall and Web Application Security Scanner products have never been taken into consideration, because they can circumvent the compliance requirements for using these products, or because web threats have never been their focus.
However, these and other emerging Web defense technologies can successfully block web application layer attacks and Scan web application vulnerabilities. The Web Application Security scanner can be included in your software development lifecycle testing phase, or as an independent project to actively evaluate the security status of your web application. The Web application firewall can check the network traffic that attacks Web applications to prevent the most common attacks. However, Web application firewall and Web Application Security Scanner cannot block or detect all attacks or vulnerabilities. These tools need to be constantly updated to discover new threats.
These tools expand your existing security control, but you should also understand how urgent threats bypass many traditional security controls. For example, if you allow HTTP to pass port 80 to your firewall and then to the web server, your firewall usually cannot determine whether the network traffic is valid HTTP traffic, or is there any potentially malicious SQL code used for SQL injection attacks. However, the Web application firewall can detect HTTP traffic and detect and (in most cases) block most SQL injection attacks. Remember that there is no single security tool or control method to protect all enterprise web applications, and the combination of Web application firewall and web security scanning can provide solid protection, to defend against the most common XSS and SQL attacks.
　　Conclusion
Although new web applications allow enterprises to interact with customers and improve their relationships, these web applications also bring new information security risks. Traditional security control itself is often unable to defend against these web application threats. However, we extend traditional control and integrate web Application Security into the software development lifecycle, and deploy new web Application Security tools to help reduce the risks of these threats. Enterprises that do not use these technologies or do not plan to do so should think over them: these applications may expand their potential Web security threats. For today's enterprise information security plans, protecting web systems from new threats has become an important and priority.
TechTarget China