In the initial days, attacks were focused on the network and operating system vulnerabilities. We have seen many such attacks resulting in network unavailability, information disclosure, denial of service etc… However, such attacks were not providing much direct financial advantage for the attackers.
Now, the trend has changed and most of the attacks are focused on the web applications. Here are my thoughts on why there is an increase in the web application attacks and why we need to improve the web application security posture.
- “Network or operating system” software attacks are becoming difficult. The number of exploitable vulnerabilities at this layer are getting reduced to a great extent. Most of these software vendors deploy rigorous testing process to identify most of the vulnerabilities even before the release of the software. Once the software is released, these vendors release security fixes for any vulnerabilities detected or reported within an acceptable timeframe. This reduces the possibility of vulnerabilities kept unaddressed from the operating system vendors. Additionally, implementation of security controls such as segmentation using Firewalls, better patch management, controlled network access etc are making it difficult for an attacker to perform effective penetration.
- Less organized web application developments: While the operating system software are developed by well known software vendors; the applications, specifically web applications are developed by not so well known vendors. Considering the uniqueness of the web applications, less focus, in terms of security, is given to the web applications. Not every web application development company has a solid security testing team and thus may not undergo proper security reviews of the application, also not to forget the freelance web developers sourced over the web. Additionally, the budgetary constrains of a web application development project also makes it difficult to ensure the security aspects of the web application.
- Bug reporting issues: In case of widely used software’s, such as operating systems and some application frameworks, security researchers and end users have mechanisms and interest to report vulnerabilities. However; when it comes to web applications since most of them are custom built, not many security researchers take interest in finding vulnerabilities and/or reporting them to the companies. Most of the time, these vulnerabilities on the web applications are detected and exploited by the hackers. Often the businesses come to know about these vulnerabilities only after a compromise
- Financial benefits for the hackers: Compromising a web application gives better financial benefit for an attacker. Compromising a card database or e-commerce application gives a financial opportunity and is a major incentive.
- Less effort to exploit web applications: Hackers consider exploiting a web application is easier than exploiting an underlying operating system. In addition, exploiting a web application gives higher incentives for an attacker.
“A vulnerability in a network will allow a malicious user to exploit a host or an application. A vulnerability in a host will allow a malicious user to exploit a network or an application. A vulnerability in an application will allow a malicious user to exploit a network or a host.” — Carlos Lyons, Corporate Security, Microsoft
So, now it is evident that the need for web application security is increasing and requires high attention in the changing world. Some of the key controls to be looked into includes the following:
- Secure application development: Application development should undergo secure development process. OWASP top 10 is a very good resource on top web application vulnerabilities and on how to mitigate those vulnerabilities. SDL from Microsoft is a popular security development lifecycle process which can be employed for this purpose.
- Application security assessments: Periodic application security assessments of various types (Whitehat, Greyhat, Blackhat etc…) should be employed to assess the vulnerabilities. Penetration testing is another way of performing security assessments.
- Deploying Web application firewall: Like network firewalls, organizations should consider the deployment of web application firewalls, which are primarily focused on protecting the web application attacks.
- Monitoring: Monitoring the logs of web servers, related database servers are key for detecting any potential web attacks. In many cases, such as the ones at Sony, the attacks are detected after several months and thus effective defence could not be established to protect the information. Having an effective monitoring and incident response function is a key for any organization
- Patch management agreements with vendors: Have contractual agreements with your vendors covering an SLA for security patches.
To build secure Web applications, a holistic approach to application security is required and security must be applied at all three layers.
Image from Microsoft
To summarize, number of application layer attacks are increasing, they bypass the network firewalls and get into your network or databases through the web front door using HTTP or HTTPS (HTTPS makes it more difficult to detect). Conventional security controls such as firewalls and access controls are not sufficient for preventing these attacks. Securing your application involves applying security at three layers: the network layer, host layer, and the application layer. Additionally, your applications must be designed and built using secure design and development guidelines following timeworn security principles