Is your website secure? WEB Application Security Summary (1)

Is your website secure? WEB Application Security Summary (1)

Application security is becoming more and more important-most of the security events seen on the Internet are basically related to application security, especially WEB Application Security (you can simply turn around wooyun and so on ). My work in recent years is basically related to application security. With this opportunity, I would like to summarize some of my ideas.

Common ideas on WEB Application Security

This article does not cover DDoS and business-related issues-DDoS is mainly solved at the network layer. I did not discuss it in the field of WEB Application Security; business-related security, in particular, security issues caused by business characteristics or business rules are not covered in this discussion.

The following is a rough classification and is not rigorous.

Use tools to enhance WEB Application Security

Tools usually have a very small impact on the application development process. You only need to make some configuration during deployment to play a protective role. Tools are primarily firewall, WAF, and various scanning products. These products are generally based on characteristics, and it is difficult to have a deep understanding of protected WEB applications. Such products often encounter many challenges.

Because protected WEB applications are black boxes for these traditional tools, effective protection is costly. I personally think that traditional products are more suitable for large-scale, simple, and consistent control, providing differentiated protection as infrastructure, and more suitable for emergency measures, it is used to shorten the response time for vulnerabilities such as Heartbleed and Struts2 remote code execution, and win enough time windows for thorough repair.

False positive rate and false negative rate:As we all know, from anti-virus software to IDS and IPS to scanners to WAF, as long as it is based on the feature library, it is basically on this "Balance Tree, it is difficult to achieve both low false positives and low false negatives.

0 day:0-Day WEB applications are too easy to discover, and the number of WEB applications is massive. It is rare to fully consider secure WEB applications. Therefore, it is difficult to find 0-day or even quickly respond to 0-day, but it is difficult to find "unknown" simply based on rules ".

Universality and customization:The number of applications is much higher than the number of common components such as the operating system and database. The application layer security check or protection tools cannot cover all applications (for example, wordpress and enterprise ERP are completely different applications ).

Vulnerabilities that are hard to eradicate:As long as you do not modify the code or install patches, this application will always have security vulnerabilities. Once there is a blind spot, attackers can directly access the protected WEB application, and all security protection measures are meaningless (the current business systems are all distributed systems and are very prone to blind spots; in particular, CloudWAF is more likely to be bypassed ).

Enhance WEB application security through development process control

SDLC is short for Secure Software Development Life Cycle. It is also called SDL or SSDLC. SDLC is characterized by "embedding" secure "genes" in the life cycle of software development, which substantially improves the security of software products. The most successful case in the industry is that Microsoft has greatly improved the security of its Windows products through the continuous implementation of SDL over the past 10 years.

 

 

SDLC needs to be fully embedded in all activities of software development, and relies heavily on personnel and tools (vulnerability scanning, code auditing ,......), We also encountered some challenges.

In a sense, SDLC is only applicable to some companies. Such companies often have stable development organizations and processes. business changes are not so fast and relatively stable; the business relies heavily on IT or software development. Extended reading: How to Use SDL in your organization.

Time:Business features develop very quickly. The development of business features is often the core measurement indicators (especially Internet companies) produced by the entire development team ). The new security features will delay product development, so the development team will tend to fix them later, and the continuous business pressure will make it difficult to obtain a high priority for fixing Legacy problems. It is essentially a "technical debt" issue.

Professional knowledge:The core capabilities of the development team are not secure. Even SDLC training targets common and common attacks. In the face of new or complex attacks, you must have a comprehensive and in-depth understanding of the security field. It is difficult for developers to keep up with the development of technology in the development field, and to add knowledge in the security field and keep up with the development of the security field.

Resource:Applications developed and used by large organizations are often very large. Building a complete SDLC in the development process will make the majority of organizations unable to afford it at the organizational or technical level.

False positive:Many SDLC tools are used. These tools usually generate false positives, which easily lead to reasons why developers are resisting SDLC.

Process:In essence, SDLC enables developers to pay attention to security. The more developers have security awareness, the more secure the products developed by the company. But the downside is that in most cases it is difficult for someone to assess whether security is sufficient (or even overhead ). SDLC is easy to flow into the form, especially when the time pressure is high and the professional knowledge is insufficient.

Enhance WEB application security by enhancing Application Awareness and continuous monitoring

The core idea is to introduce security-related sdks or plugins during the development process. These plug-ins or sdks enable applications to have default security functions, and enable security personnel to continuously monitor and respond to applications (which can go deeper into the runtime of applications ).

A key technology in this thinking is currently defined by Gartner as RASP. RASP is short for Runtime Application Self-Protection. By embedding Application code, the Application can be aware of and protected against threats. Generally, RASP can be integrated with other security products. Gartner summarized this definition and added it to the On the Rise phase in Hype Cycle for Application Security, 2014 (a new technology that is under attention, but not widely verified and accepted ). Gartner introduced Runtime Application Self-Protection: A Must-Have as early as 2012, and Emerging Security Technology. It is expected that 2017 of applications will Have this capability in 25%. At present, many vendors have launched products, and the open-source community has also been implemented accordingly.

HP: HP Application Defender

Prevoty: Prevoty Runtime Application Security

Waratek: Application Security for Java

OWASP: pluensor is an open-source solution.

Shandowd: Shadowd is an open-source solution.