Assessing the Security of Your Web Applications
Web sites are moving away from static HTML to dynamic interactive web applications. It is the dynamic, interactive web application that is making the Internet the universal medium. Web applications bring a new level of risk to web sites. Security of these web applications is paramount to the security of the site.
Awareness of security threats from the Internet is increasing the adoption of secure technologies. Deploying firewalls is a standard first step adopted by many organizations. Firewalls protect against many attacks on the network and system infrastructure. In addition, some firewalls provide filtering capability and contain inbound malicious Java and Active-X applications. However, firewalls do little to protect against inbound malicious requests to legitimate applications. Web-based applications are very popular due to the ubiquity of the Internet. Providing access to customer information, user profiles, financial records and health records are common examples of services that web applications can provide. Most often, these applications access a back-end database to serve dynamically generated content to the users. Applications designed without security in mind may result in loss of data integrity, availability, confidentiality and privacy.
Most web application testing can be classified as static or dynamic. Static testing involves manually inspecting the source code and automatically testing for dangerous constructs. On the other hand, dynamic testing involves executing the web application to detect anomalous behavior on unexpected inputs. The focus of this article is on dynamic testing.
Some information seekers think maliciously. Hackers are sometimes able to anticipate inadequacies and the coding practices adopted by programmers. Often, the “speed to market” attitude pushes application developers to overlook standard and secure coding practices. This is especially true in the e-commerce environment, where standard practices such as Change Management are often overlooked. Security is thus usually an afterthought. Often, this results in a vulnerable first release of an application. The process of fixing the vulnerabilities is a fairly expensive one.
Code templates and examples in different development environments provide developers with an approach to implement the desired functionality. These code snippets may not, however, account for application security. The malicious user is sometimes able to identify the development environment just by viewing the HTML code generated by a web application. Comments and some HTML tags can provide information on the development environment. Upon identifying the development environment, a malicious user is able to exploit vulnerabilities where the example or template may have been used.
Another common area for exploitation is the way the application maintains session state information. The HyperText Transport Protocol (HTTP) by itself is stateless. Cookies are commonly used to maintain state information between subsequent HTTP requests. Cookies are simply sets of strings written to the browser by the web application server. They are used to maintain session state, remember passwords and user names, for personalization and configuration features. A malicious user could hijack applications that do not implement strong session controls.
Application vulnerabilities are important because they give access to confidential information such as credit card numbers, account numbers or names and customer lists, without having to break into the web server. The difference between a malicious user and a regular user is intent.
In a recent incident that stunned the on-line community, a hacker posted up to 25,000 stolen credit-card numbers on a public web site (see Resources). These numbers were stolen from the CD Universe web site. The hacker claims to be in possession of more than 300,000 credit card numbers from this site. Further, the hacker claimed that the credit card numbers were compromised due to a flaw in the software used to process credit card transactions. Are you at risk? It depends. You may be at risk if:
You are a large corporation that attracts many users to your corporate web site.
You have just released a statement boasting about the security of your site.
You are completing and releasing a new product in the marketplace.
You are a financial institution.
You are a government organization.
You are a provider of many knowledge-related or data services.
You are an e-commerce site.
If you do not fit any of the above categories, you may still be vulnerable. In the event of a compromise, only your organization's data classification policy and the value of the data lost will determine the extent of the damage. Just last year, the numbers of web site defacements rose over 900% (see Resources). This can result in embarrassment and unnecessary media exposure. Some publicly traded companies have seen their stock value go down as a result of a breach in the security of their web site.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Petros Koutoupis' RapidDisk
- The Italian Army Switches to LibreOffice
- Linux Mint 18
- Oracle vs. Google: Round 2
- The FBI and the Mozilla Foundation Lock Horns over Known Security Hole
- Varnish Software's Varnish Massive Storage Engine
- Privacy and the New Math
- Firefox 46.0 Released
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide