To improve the security of WEB applications, you need to make a combination of the "Combination"

Because WEB applications are extremely important to the internal and external operations of many enterprises today, their availability and security are both the expectations of customers and their requirements. Therefore, enterprises should pay no cost for WEB applications. At the same time, the importance of WEB applications also puts a lot of pressure on security experts, because nothing is more terrible than the attack or destruction of key websites or applications of enterprises. Unfortunately, in the contest to build applications, many companies put pressure on developers to focus on application security.

This article will discuss how to balance the performance, availability, and security of WEB applications.

Security Policy

Maintaining a forward-looking and proactive approach to WEB Application Security should be a top priority for IT. If WEB applications are damaged, enterprises often suffer huge losses. For large enterprises, not only money is lost, but also Reputation Loss. Frequent attacks on important WEB applications make CEOs of customers and companies less satisfied. Whether or not attacks can be avoided, IT will often be condemned, although this may not be fair.

When CIOs and CFO talk about "security", they are often shocked by the high cost. However, enterprises may not need to use a lot of money to strengthen WEB applications. To win the battle for WEB security, enterprises need to combine the best methods and tools to solve security problems.

You don't have to ask a senior CISSP to reinforce your WEB application, or spend too much money. However, it takes time, effort, and negotiation skills to successfully strengthen enterprise WEB applications (your security concerns and concerns may be a big blow to the project manager ). When curing Enterprise WEB applications, you need to make comprehensive use of the process, tools, optimization, and best practices. Generally, these policies are about the network, the nature of applications and processes, and so on.

The best method for WEB applications should start from the network layer. Security should be the top priority during the entire process from WEB application development to application deployment.

Network: Hiding servers in the DMZ (isolation zone)

If you are a security expert, you may think this method is a little pediatric. However, not everyone is a security expert, and even the best security experts are sometimes sleepy. Deploying a WEB server on DMZ will not technically make WEB applications or websites safer. However, once the WEB server is successfully attacked or damaged, this method can protect the rest of the infrastructure from attacks.

If an enterprise website or WEB application is on its own server, peripheral defense suffers various scans every day. You cannot prevent attackers from detecting external open services, but you can make it difficult to cause greater harm if the attacker successfully damages a WEB server. The purpose of putting external-oriented WEB servers in DMZ is to restrict attackers to a small scope. After a server is conquered, this can limit its harm. For example, if you convert all incoming connections to an internal network, then hackers can successfully exploit unpatched vulnerabilities or use SQL injection to improve privileges, this allows unrestricted access to the internal network.

Network: Review firewall rules

One of the simplest ways to reduce WEB application attacks is to discard all connections that enter the WEB server group ports. If you expose a WEB application, there is no reason to allow RDP on the WEB server, or to allow ICMP. Other TCP/UDP services on the WEB server may need to be tested or diagnosed, but in addition to TCP port 80 or port 443, there is no reason to allow any inbound connection to the WEB server. Security management experts should always check the abnormal situation of firewall rules, especially if several people in the enterprise are managing the firewall, it is particularly important to review the firewall frequently.

Tools: front-end protection

If you want to protect internal WEB applications, you generally do not need a WEB application firewall. However, large enterprises often have WEB applications oriented to the external world. If these applications have problems, enterprises will lose a lot of money. Therefore, enterprises need WEB application firewall very much.

Undoubtedly, an application developed based on the principle of prudence cannot require WAF-level protection. However, sometimes WEB developers do not verify user input, and the biggest enemy is the developer himself. In addition, from the encoding perspective, WEB developers cannot protect WEB applications from persistent DoS attacks. Although we should blame developers for being careless and suffering from SQL injection attacks, however, if the system administrator does not correctly strengthen the WEB server and does not patch the server in time, is it also responsible? When a problem occurs, it does not make much sense to check whether the vulnerability is caused by a human error. The key issue is that WEB application firewall is of great significance for protecting WEB applications from various attacks and exploiting vulnerabilities. The most fundamental problem is to prevent vulnerabilities from being exploited. Enterprises need to determine whether the risk of not deploying a WEB application firewall exceeds its benefits.

Application: harden WEB Servers

Vulnerable WEB applications expose enterprises to unnecessary risks. Deploying a WEB server on Linux, rather than Windows, may be more secure. Apache deployment with incorrect configuration is as vulnerable as IIS with incorrect configuration. The same theory applies to underlying operating systems.

In fact, if you only solidify the WEB server itself but do not strengthen the underlying operating system, you cannot overwrite all the vulnerabilities that attack WEB applications. Just as enterprises should filter out all unnecessary protocols on the firewall, removing system services that are not necessary for WEB applications is also important.

For example, the default deployment of Windows Server 2008 contains 50 running services, and the default deployment of Windows Server Core contains only 36 services. Although IIS will add a small number of services, it can greatly reduce the attack surface of WEB applications by simply optimizing the WEB server deployment method. Of course, in Linux, disabling unnecessary running processes to strengthen the underlying operating system can also achieve the same purpose of optimization. Removing unnecessary services from the server is the easiest way to improve the security of WEB applications.

Tools: vulnerability scanners are frequently used.

No matter how strict the enterprise's change control process is, the natural business process (whether or not controlled) will generate new vulnerabilities. These vulnerabilities may be the result of firewall changes, or the results of updating WEB applications or underlying operating systems, newly discovered zero-day vulnerabilities, and misconfiguration.

The cause of the new vulnerability is not important, because the most important problem is to discover and solve the security problem. Unfortunately, you cannot rely on a security expert or even a security team to discover vulnerabilities in the WEB application environment. When a WEB application is put into use, the responsibility for discovering new vulnerabilities should be handed over to an automated tool that can proactively discover security problems and generate warnings when the problem occurs.

There is nothing to replace a sound vulnerability scanner, and we have no reason not to use this tool because it is cheap and easy to deploy.

Application: Understand the default configuration and security environment of the application.

From the network and operating system point of view, many problems will put WEB servers at risk. However, one of the worst tasks that administrators do is to deploy products such as IIS, and then they will feel "finished. Ensuring IIS security is an arduous task. However, to make WEB applications an insurmountable goal, you do not have to become an IIS authority. You only need to understand which WEB Application Server's default configuration will increase risks and how to solve these problems quickly.

Attackers are very familiar with IIS, so they know that the default IIS Site is stored in the c: \ inetpub \ wwwroot directory. In IIS, WEB applications run in the application pool to isolate applications for better security. However, the hacker knows that the default application is running under the Network Service account. The rights of the Network Service account exceed those granted to the application pool by the user. Therefore, disabling the default configuration and creating a new application pool that ensures the security of new accounts is the simplest and most effective security advice. The attacker also knows that, by default, the application pool runs under the iUSR_Host_Name account. If attackers can discover the Host Name of the WEB server, they can know the answer and close the iUSR account, and conquer the WEB server by sending fake authentication requests.

To ensure the security of the IIS server, the administrator should do a lot of things, but retaining the default settings of the WEB server is a very easy security problem to avoid.

Process: attend design meeting

Technology cannot completely solve every security problem, because we still need other work.

Some developers may think that security is not a top priority when developing applications. This does not mean that developers do not care about security issues, but pressing schedules and resources may prevent developers from attaching importance to security issues. In addition, some developers may lack the knowledge required for Secure Programming.

For example, security experts know that when developers use dynamic queries in WEB applications but do not purify user input information, they may face the risk of SQL injection. If a security expert asks at a WEB application design meeting, it will find that almost all developers prefer dynamic queries due to execution speed issues. However, by using stored procedures or parameterized queries, developers can prevent attackers from distorted query results. If you cannot make suggestions, you will not be able to influence key design decisions, and will not have an important impact on the security of the final product.

Another problem that security experts should solve during the design stage is the data verification method to be added to WEB applications. Improper data verification opens the door to SQL injection and cross-site scripting attacks. WEB applications should not allow users to enter URLs that point to malicious scripts in a field. Similarly, WEB applications should not allow users to enter SQL commands in a field that should have entered a phone number.

Most developers know that when data verification is involved, the primary rule is to never trust the input provided by users. However, data verification is not the only issue that security experts should address during the design meeting of WEB applications. The issue of "data disinfection" must also be addressed. For example, in most cases, users should not be able to input data encapsulated by HTML tags in a field. In a WEB form that expects to capture basic user information, do we have any reasonable reason to store HTML tags when writing a string value to the database?

Here you need to make a judgment: if some fields of the WEB application mentioned at this time require the use of HTML tags to build a better-looking list, due to business needs, you need to process HTML in some instances. However, such WEB applications also strengthen security policies and prohibit the use of potentially destructive HTML. Therefore, in the design phase, such WEB applications can provide a good example, which will inspire security experts or security-aware developers to play a major impact on the final WEB application products.

Handling: the security team and the Quality Assurance team should be closely united

In some cases, it is unlikely or unacceptable to have security experts stay in the development team during the development of a new WEB application. However, for well-managed development projects, you must ensure that the Quality Assurance specialist stays in the developer's room.

Ideally, the security and quality assurance teams should work closely together when testing new WEB applications are involved. The reason is simple: the Quality Assurance team usually has almost no background in application security concepts. Therefore, when working with a development team that does not use the best security methods, the most likely product may be an exposed application.

The best and only opportunity to change this product is to bring the security team or at least one security expert together with the Quality Assurance team when releasing a public beta version of the new WEB application. If you work in a small or medium-sized enterprise, the development team may be the Quality Assurance team, or the enterprise will outsource application development.

In any case, security experts must be able to explain how specific SQL injection attacks, XSS attacks, or LFI/RFI attacks are implemented. This will bring great value to the development process.

The ultimate goal is to deploy a stable and secure WEB application. Therefore, from the security perspective, the thinking and actions of security experts can be as important as the Quality Assurance Team. This may mean proactively providing quality assurance services or focusing on the release date, focusing on when to prepare to deploy existing product updates (because the new version requires testing ). Although you are sometimes not very popular as a security expert in the development team, you may be thankful for helping develop a more stable and secure WEB application in the future. In addition, if you can educate WEB developers on how to exploit WEB application vulnerabilities, it will naturally help to ensure that future software will include features that make WEB applications more robust and secure.

In general, the security of WEB applications is not so difficult. Although the success of many security projects exists in the hands of security experts, implementing robust WEB application security requires the concerted efforts of all parties.

WEB Application Security should be a process-driven, not a technology-driven problem, and must always be so. We cannot use a firewall or anti-virus software to protect the security of WEB applications. Just like any other software that has passed the development lifecycle, we should use a predictable and structured method to ensure the WEB application process. Sometimes it takes a lot of time and effort to ensure the security of WEB applications, but it is completely worth the effort compared to not paying the time and the huge cost caused by the effort.