COLUMN

IT pros can detect, prevent website vulnerabilities, thwart attacks

By Eric Ogren 03 Jun 2009 | SearchSecurity.co.UK Digg This!     StumbleUpon     Del.icio.us

IT is left to its own ingenuity to weave diverse products into a Web security protection scheme. Security practitioners will have to categorize externally facing websites and then make security investment decisions among technologies such as scanners, penetration testers, Web application firewalls, source code scanning and security development lifecycle (SDL) investment. There is no one best practice when protecting websites, which is a worrisome state for businesses and helps explain why security vendors report that most attacks penetrate browsers through infected webpages.

Companies that invest in finding and patching website vulnerabilities are ahead of the game. White Hat, a Web application scanning service vendor, reports that 63% of websites have a high, critical or urgent security issue. There are a few more important interfaces between a business and its customers and supply chain, yet websites are now the leading attack targets for malicious code such as cross-site scripting (XSS). White Hat's research into website vulnerabilities shows that security is a vexing issue that security vendors struggle to contain.

In time vendors will integrate offerings to form a cohesive set of security tools for IT. For instance, the day will come when source code passes through SDL tests that include a parameter description language to optimize Web application firewall features. Meanwhile, security teams need to utilize a variety of mechanisms to control the security profile of their websites.

Vulnerability scanning. Website vulnerability scanners discover websites and scan them for known vulnerabilities. The list of discovered vulnerabilities feeds software maintenance teams, possibly helps tune Web application firewalls and provides IT with an objective measurement of the security health of corporate websites. Website auditing, achieved with vulnerability scanning, is a core competency all businesses should be utilizing.

Penetration testing. Similar to vulnerability scanning, penetration testing also varies input parameters from browser scripts to detect weaknesses in the business logic expressed by the application code. Consumer oriented websites should pass penetration tests before production deployment.

SDL and source code security scanning. Correcting vulnerabilities in the source code is the preferred method when feasible. Approaches that integrate security scanning with source code libraries can help ensure a vulnerability is fixed across all corporate websites. However, other than the expense of code management systems, businesses hate to invest security maintenance resources in legacy applications, and in many cases the source code is owned by a vendor. White Hat's findings that a XSS vulnerability is averaging 58 days to fix indicates that security needs to augment source code corrections.

Web application firewalls. WAFs are devices residing in the data path between the user and the website to analyze http traffic, block attacks and prevent data leakage. WAFs can be effective in blocking attacks, but they need periodic tuning to keep in sync with the Web application, and not all websites merit the expense of a Web application firewall.

Browsers. The most popular browsers have features designed to reduce the risk of XSS attacks. Be sure end users of Microsoft IE8 are running the XSS filter and users of Mozilla Firefox have deployed the XSS Me add-on.

Application whitelists. IT can record the configuration of an approved website and application whitelists can detect and block unauthorized changes to the server environment.

Categorize all Web servers according to business risk. There will not be enough money budgeted to apply all of the above methods to every website. Prioritize websites by importance to the business, susceptibility to website vulnerabilities (e.g. complexity) and practicality of each security technology.

Four leaf clovers. (Only slightly tongue-in-cheek.) Assume all websites are vulnerable and will be exploited. Put processes in place to detect the presence of malicious code to limit the damage of a successful attack and preplan to take action in event of a breach. A little luck is always a good thing ;).

Tags: Web Application Security,  Secure Coding and Application Programming,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Microsoft gives Internet Explorer a major security overhaul Secure Coding and Application Programming Improving software with the Building Security in Maturity Model (BSIMM) SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Metasploit Project acquired by vulnerability management firm Rapid7 Will Web application firewalls (WAFs) catch most security vulnerabilities?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary