• Home
• Topics
• Data and Application Security Management
• Web Application Security
• Securing Web applications with Web application firewalls

Securing Web applications with Web application firewalls

Requires Free Membership to View

Login



SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

Michael S. Mimoso, Editorial Director

• E-mail Address: 

By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

First of all, I'd say that in security it's best not think in terms of options, but to try and combine different alternatives to provide maximum security.

Application firewalls protect the application layer, normally protecting HTTP communications from attacks like SQL or script injection. Be wary of simplistic pattern-based firewalls, as the attacks might be new and not in the database or more likely will be designed not to be easily detected.

The best solution is to constrain a program's input and output only to accept or output expected data. An example of this is to limit the input length, and only allow numbers when accepting numeric data like credit cards or current age. But there are problems with constraining data, as sometimes the data is unexpectedly long (surnames) or will contain illegal characters (passwords).

Before releasing any Web application to the public, it should then be subjected to static and dynamic source code reviews to validate it has been developed correctly. Finally the program language you choose is also important, because filters built into the language will help prevent many common Web-based attacks. It is wise to learn about the protective mechanisms built into your chosen programming language, and make good use of them.

Protection is sometimes provided by frameworks which support multiple languages and sometimes within variations of the same programming language from different vendors. Check online security sites to see the number of vulnerabilities associated with the language.

Unfortunately, even when adequate protection is offered -- such as the various .Net framework validation controls -- few developers seem to use them, probably because they lack awareness or training.

Dig Deeper

This was first published in February 2010

More from Related TechTarget Sites

• Networking UK
• Virtual Data Centre
• Data Management UK
• Security
• Cloud Security
• Security IN

• Networking UK

  • Cisco Live London: 40 and 100 GbE, souped up WLAN

    At Cisco Live London, Cisco launched 40 and 100 GbE switching, a souped-up 4-antenna WLAN access point, and a host of network virtualisation technologies.

  • UK Networkers should gear up for mobility implementations in 2012

    Companies are rethinking legacy tools to take advantage of what users get from having access to data and applications across all kinds of devices, according to TechTarget’s 2012 IT Priorities Survey.

  • Cloud gets vote of confidence from UK buyers in 2012 IT priorities

    The cloud is set to be a key investment area for UK buyers in 2012 with 30.5% of IT buyers pledging to spend on the technology, according to TechTarget’s 2012 IT Priorities Survey.

• Virtual Data Centre

  • SEPA reaps cost savings running Oracle on VMware

    SEPA’s IT team was warned of the complexities of virtualising Oracle database and apps. But strategic design and testing helped it run Oracle on VMware vSphere and reap benefits.

  • London 2012 Olympics: Aim for gold with DR, business continuity plans

    With 80 days to go before the London 2012 Olympic Games begin, IT pros must review and test their contingency, disaster recovery and business continuity strategies.

  • Using automation, self-service provisioning to build a private cloud

    IT pros that recognise cloud computing benefits want to build one behind closed doors. But a private cloud requires automation, self-service provisioning and management planning.

• DataManagement UK

  • Podcast: How to craft an effective MDM strategy

    In this podcast interview, Andy Hayler gives advice on how to create and implement an MDM strategy that is ruthlessly focused on business value.

  • Jill Dyché: CEO big data focus good news and bad news for IT

    Jill Dyché, a data management expert, sees CEO interest and scepticism as both an opportunity and a threat. Avoid the big data 'gotchas', and don't mistake data warehousing for big data.

  • Infostrada teams up with Roambi, mobile sports analytics at Olympics

    Dutch media sports information provider Infostrada has teamed up with mobile BI company Roambi to create an iPhone and iPad app for the Olympics. It will predict medal counts.

• Security

  • PCI Council urges P2P encryption for mobile payments

    A PCI Council guidance document requires merchants to use a validated PIN entry device or secure card reader to accept payments using mobile devices.

  • Steve Lipner on the Microsoft SDL, critical infrastructure protection

    Microsoft’s senior director of security engineering says core SDL principles should be at the foundation of critical infrastructure system protection.

  • Android security model doing best to enable mobile malware spread

    At Information Security Decisions 2012, Dan Guido put the mobile malware focus on the Android security model and Google’s mobile app vetting process.

• Cloud Security

  • Leveraging Microsoft Azure security features for PaaS security

    Organizations can boost PaaS security late in the game by implementing these stopgap measures.

  • Quiz: Understanding cloud-specific security technologies

    Think you understand cloud-specific security technologies as well as expert Joseph Granneman does? Test your knowledge with this quiz.

  • CSA launches cloud security certification initiative for service providers

    Plan calls for working with certification bodies, government agencies, as well as an independent CSA certification.

• Information Security

  • Maltego tutorial - Part 1: Information gathering

    Maltego is a powerful OSINT information gathering tool. Our Maltego tutorial teaches you how to use Maltego for personal reconnaissance of a target.

  • POS terminal security: Best practices for point of sale environments

    Securing point of sale (POS) environments can be tricky. Shobitha Hariharan and Nitin Bhatnagar share comprehensive POS terminal security best practices.

  • Burp Suite Tutorial PDF compendium: WebApp tester’s ready reference

    Our Burp Suite tutorial PDF compendium is a collection of our Burp Suite guides in PDF format made available to you for free offline reference.

• About us
• Contact us
• Site index
• Privacy policy
• Advertisers
• Business partners
• Events
• Media kit
• TechTarget corporate site
• Reprints
• Site map