| Webmaster dilemma : having to choose between | | | | Application Security : "If developers only validated |
| "easy and quick developments" and security ? | | | | their inputs to what they are expecting to be given, |
| « 75% of malicious attacks on the web take | | | | rather than attempting to filter for malicious inputs (if |
| place on the application layer (Gartner) » | | | | at all), then 80-90% of web application vulnerabilities |
| «... The evolution of web applications has been | | | | would go away. SQL Injection -- gone, XSS -- gone, |
| characterized by a relatively immature level of | | | | parameter tampering -- gone." |
| security awareness ... (Deloitte and Touche) » | | | | Unfortunately, from a software vendor's perspective |
| Websites create value. Whether you are an | | | | : launching a new product on time is more important |
| e-merchant, an administration or a car manufacturer, | | | | than launching a secure(d) software ! |
| your core values (accounting, supply chain, customer | | | | The limits of traditional tools |
| data, business info, ...) are processed, stored and | | | | «According to CSI/FBI 2006 study : |
| communicated via your internet applications and more | | | | 97% of interviewed companies and administrations |
| generally thanks to your IT system. Web applications | | | | were using an antivirus, 98% have a network firewall, |
| include of course web sites as well as business and | | | | 69% have intrusion detection systems. However ... |
| logic internal applications, intranets, extranets, portals | | | | 65% of these organisations have undergone a viral or |
| ... It is a fact : more and more companies and | | | | spyware attack, 32% have experienced unauthorized |
| administrations tend to 'webize' their IT infrastructure. | | | | access to their internal data and even 15% have |
| But there are counterparts : being open brings | | | | suffered from network intrusions ... » |
| dangers and threats that are often underestimated ... | | | | Network security is not web application security ! |
| Web protocols are not secure | | | | The perimeter network firewall can not block all |
| «More than 80% of all malware that emerged in | | | | flows and attacks. Indeed, it usually lets http flows |
| the past year focus on application-level vulnerabilities | | | | (ports 80 and 443) come into company's networks |
| (various sources, 2006). » | | | | as it is usually needed for communication with outside |
| « In June 2006, 92 SQL injection and 34 | | | | world. As this specific port is open, more and more |
| cross-site scripting (XSS) new vulnerabilities were | | | | applications are using this open door, for instance, |
| recorded on our database (Secunia) » | | | | VoIP as well as peer to peer. This http port becomes |
| These real threats result in : private data theft, illegal | | | | a real toll-free motorway to penetrate internal |
| use of your website (for instance to host forbidden | | | | network. More and more applications (including |
| contents or spam relays), website defacement, | | | | suspicious ones) are encapsulated into http traffic. |
| e-commerce website abuse, unavailability, ... | | | | This is the "everything over HTTP" phenomenon ! |
| Major threats include : | | | | Comprehensive IT security requires a layered |
| · Cross-site scripting (XSS) - arbitrary code | | | | approach |
| injection in scripts | | | | «Two very old adages in security are "least |
| · SQL injection - reading or modifying databases | | | | privileges" and "defense in depth." The idea is to only |
| · Command injection - unauthorized command | | | | give software enough privileges to get the job done, |
| execution | | | | and not to rely on only one security mechanism. M. |
| · Parameter/form tampering - sending false | | | | Andrews and J. Whittaker, Guide to Web Application |
| arguments to the application | | | | Security » |
| · Cookie/header tampering - HTTP fields use to | | | | Although security tools have their limits, they are |
| send false values to the web server | | | | usually necessary to make IT security infrastructure |
| · Buffer overflow - overflowing buffer memory | | | | stronger. |
| · Directory traversal/forceful browsing - access | | | | Security experts refer to IT security infrastructure |
| outside the application | | | | as "rings of protections". Two very well known and |
| · 'Attack obfuscation' - attack masquerading, for | | | | common tools are antivirus and network firewalls. As |
| instance via URL encoding | | | | regards with web security, we have seen that web |
| Very well known security principles are confidentiality, | | | | traffic penetrates IT systems with no real opposition. |
| availability, integrity and auditability. HTTP and HTTPS | | | | That is why web application firewalls become |
| protocols give poor result on these aspects. Web | | | | indispensable. A web application and a web site need |
| protocols hardly authenticate, only partly guarantee | | | | its 'bodyguard', as web technologies become |
| confidentiality and integrity, ... And malicious SSL | | | | increasingly critical and exposed in modern IT |
| traffic will remain illegitimate when processed by your | | | | infrastructures ! In late 2004, a Red Herring journalist |
| website ! | | | | mentioned : "Web-app security will be just like |
| Keep in mind that an URL sent by a browser is a | | | | anti-virus was 10 years ago. In five years, it will be a |
| command line to your web server : for instance an | | | | must-have.". |
| URL generating an SQL command or activating a CGI | | | | Conclusion : web application firewalls act when |
| script. | | | | conventional tools show their limits |
| At last, web protocols do not impose input validation, | | | | Web application firewalls are an important building |
| this is the major cause of their 'insecurity' ! | | | | block in every HTTP network. First of all, they |
| Coding secure web applications is a hard work | | | | protect the most exposed part of your IT assets : |
| « For far too many development professionals, | | | | the website. Web applications need their [intelligent |
| Web application security only consists of producing | | | | and self-learning] bodyguard. When we say |
| applications that are functional and stable, not building | | | | bodyguard, we mean a solution which 'understands' |
| hacker protection into the code or checking for SQL | | | | the application, taking into account its behavior, which |
| injection vulnerabilities (Spi Dynamics) » | | | | is close to it (ie directly on the web server) and can |
| Web protocols are not secure by default. But web | | | | ACT immediately and consequently |
| application developers could strongly improve security | | | | (counter-measure). At the same time, it has to be |
| standards with good coding principles. As M. Andrews | | | | discrete and stick to business logic. It is the "last |
| and J. Whittaker mention in their Guide to Web | | | | rampart", the ultimate protection ! |