He is a well-known security writer with over 10 years of IT experience and has 16 years of experience in the financial industry. He is the founder and managing director of Cobweb Applications. The company provides IT training and data security and analysis support.
Q: We have just finished building a WEB application. I want to know which security devices are recommended to protect its normal operation.
A: Before fully understanding the data and devices you want to protect, I cannot provide detailed suggestions on the peripheral network and application data security devices you need. You can refer to some basic steps to prepare a brief purchase list for the security features required by any WEB application.
First, it is very important to classify the data used by a WEB application. Where will it be stored? How is it accessed and processed? Next, identify and assess the risks of the data and the systems and applications that process the data. This process is called Threat modeling and should be implemented in the application design process. By analyzing a WEB application from the perspective of an attacker, you will have a better understanding of the following issues:
1. How is it under attack?
2. Why is it under attack?
3. How can we minimize any identifiable risks?
This process can also help improve document materials to identify and prove the security requirements of this WEB application.
The security requirements of these WEB applications must be consistent with the overall security policies of the entire Organization. This global security policy defines how to legally protect the data, this policy determines how best to protect WEB applications to prevent any identifiable threats and reduce the risk of sensitive information. I am very certain that some vulnerabilities can be removed if you rewrite the code, logic, and functions of some applications. Such efforts should be supplemented by additional security devices, however, your policies and strategies must be clear, that is, what data you need these devices to protect and what threats you want to protect.
After completing a WEB application, you can check the devices used to mitigate the threats and check which types of threats they are used to protect. Some devices provide protection against a variety of threats, such as viruses, spyware, and malware. Other devices may focus on a specific threat, such as instant messaging security protection. You need to pay more attention to the depth and methods of these technologies used by various vendors in one or more security fields. A common problem that brings multiple types of attacks to application data is that they often make repeated attempts on legitimate client requests and responses. SQL injection is a classic example, therefore, traditional peripheral protection technologies, such as packet filtering firewalls, do not have sufficient protection capabilities.
Performance and scalability are two important considerations. Some security devices may be limited by the amount of transactions that can be scanned per hour, some other devices may have network restrictions or only provide protection for some application protocols in a very small scope. I think the following key questions should be answered when to select a security device:
1. What goals should it achieve based on the company-level security policy goals and needs?
2. How does it adapt to the existing network? Can the current technical force use it correctly and effectively?
3. What impact does it have on existing devices and users, and what kind of losses will it cause, such as the costs of equipment re-purchasing, configuration, and personnel training.
4. What additional services does it provide?
Obviously, all devices used to protect and process data must be correctly installed. The installation process requires a four-step Security lifecycle: security, monitoring, testing, and improvement. This is a continuous process. Once this process is completed, it will loop through these four steps in a fixed protection period. Before connecting any device to the production network, make sure that it has been reinforced, patched, and further security configuration.
During configuration, make sure that you refer to your own security policies to ensure that the device is correctly configured to complete the corresponding tasks and comply with the company's security policy. Since it takes time to select and install network protection devices, it is very important to implement a penetration test, which ensures that these devices do provide these protections as planned. By simulating such an attack, you can evaluate whether your website has potential vulnerabilities.
Remember, you must record any changes made based on the results of the penetration test for future reference, and make sure that the configuration is not mistakenly modified, in addition, physical access control and logical access control must be implemented for all network security devices. If you only rely on some security devices that use the meter type, it is impossible to ensure application security. You must establish protection measures at all levels: physical, network, and application. By using this threat modeling process, you can ensure security at the WEB application layer. In addition to increasing their robustness, you can also reduce the dependency on peripheral security devices.