Many companies are just now beginning to realize the importance of web application security. Some are learning the hard way. Most veteran security professionals are aware of common Unix applications that have been historically vulnerable such as versions of BIND/DNS, FTP, Sendmail and Apache Web Server. The most predominant business applications being deployed in these instances is email and web services. Since these types of applications are employed to purposely facilitate bidirectional communications most perimeter firewalls are configured to allow data to pass through without much inspection of the payload.
A new wrinkle to this scenario is the use of web services protocols to enable application to application exchange of information. Protocols such as Simple Object Access Protocol define a syntax for application to application information exchange (SOAP). SOAP, as currently implemented in most applications, uses HTTP(s) encapsulation to conveniently tunnel through firewalls. Data formats of web services applications are based on extensible Markup Language (XML). XML is used to define common data formats and data between web applications. One security issue with SOAP and XML based applications is managing the inherent risks of such application networking (www.didata.com/documents/Application_Networks.WP.pdf).
Application Assessment Tools
Most vulnerability tools only look for vulnerabilities at the network packet level. Vulnerability checks are performed by replicating packet level exploits. However, such tools, though useful, are not as focused on application level vulnerabilities such as cross site scripting, forceful browsing and other related vulnerabilities which are due to application design. Web programmers can increase the value of QA processes by incorporating such a scan before putting web applications into production. Examples of such tools include Sanctum’s AppShield or Spidynamics’ WebInspect product. AppShield even claims to also scan XML based applications, an emerging requirement in the application-to-application security environment. Because every web application is different, these scanners have to do website crawls and use dynamic probing algorithms to determine how to attack web applications. Even then, these scanners have to do a lot of repetitive guessing to look for errors and, as a result, are no substitute for a skilled human audit.
A comprehensive application assessments should include a review of the application’s architecture, design and function, its development and maintenance processes its operational processes and technology components including the platform it runs on, the networking services used, and any database or operating platforms services used. The assessment should also include interviews with key managers and staff members responsible for the development, maintenance, deployment, and operations related to the application. Processes and technology should be reviewed to ensure that key application security dependencies are met. Any new security relevant code in the application and supporting infrastructure services should be reviewed for common errors that can compromise the integrity of production environments when the application is deployed. Such assessment may include the use of automated application scanning tools discussed above.
Another method of checking for vulnerabilities is to review application code as part of a code audit. Code audits generally require more expertise and time than simple automated scanning to be of real value. Code audits look for unintended functionality, flaws in code, and known platform vulnerabilities. Such code reviews frequently perform a line-by-line inspection of the programming source code to identify new problems relating to security. In addition, they look for any malicious code that employs helper programs on a user’s hard disk to access unauthorized files and deliver them to the application’s author.
Application code review services are generally offered by specialist boutique security consultancies such as Columbia Maryland-based Aspect Security or mid tier systems integrators such as Reston Virginia-based Dimension Data.
Ask anyone who has experienced an email system failure. What many do not realize is the complexity of infrastructure needed for email to function properly. Network and messaging infrastructure components that support and play a crucial role in email include DNS, authentication servers, LDAP databases, web mail servers, mail gateways, and content filtering/antispam filters. This is in addition to traditional network security components such as firewalls, routers and the like.
Too much security processing at the gateway and performance and scalability become issues. Too little security processing and the potential for malicious content becomes an issue. Most security goals fit somewhere in the middle. Unfortunately, current approaches to securing mail applications rely on multiple point products such as antivirus and content filtering each with its own management interface. This approach is complex, does not scale, and is costly.
New mail security solutions that take a holistic and comprehensive approach include CipherTrust’s IronMail email security appliance and Borderware’s MXtreme Mail firewall. Designed to run on top of hardened operating systems, such devices protect against and recognize that there are many threat vectors of attacks to email infrastructures. The appliance approach that these solutions incorporate provides central administration and deeply focuses on email specific security providing acceptable ROI that can be spread across the email infrastructure.
Web facing applications
Web facing application, whether external or internal, should especially be assessed for any security mistakes that creep into web server configurations or large custom applications. Organizations with outward-facing Web applications developed internally should consider using an web application scanner such as Sanctum’s AppScan product, SpiDynamics WebInspect or other similar tools. These scanning tools can be used to validate the integrity of various application elements such buffer size validation, various data injection vulnerabilities, cookie validation and other programmatic logic constructs within the web application.
OWASP provides a top 10 list of web vulnerabilities which includes invalidated parameters, can lead to unauthorized backend server manipulation, cross-site scripting flaws which can lead to unauthorized manipulation of users browsers. Many of the vulnerabilities listed can be fixed through proper application design. However, application security expertise is scarce and many times not a priority. Therefore, one approach is to secure applications using a layered security architecture using so-called application firewalls. For example, Sanctum’s AppShield or SpiDymanics’, provides protection to web applications by inspecting web application for common programmatic errors, design flaws, and unintended functionality. AppShield is normally deployed in front of the web applications as a sort of proxy device. By using a security layer, a time-based strategy to managing risk is employed. This security layer approach prevents intrusions and at the same time buys some time to patch or correct application vulnerabilities.
About the Author
Keith Pasley, CISSP is an information security professional with over 20
years of experience in the information technology industry. He has designed
security architectures and implemented security strategies for both
government and commercial sectors. Pasley has written articles on various
security related subjects.