The trinity of trouble
Regardless of the target, motive, or vector, Web attacks seek to exploit the connectivity, complexity, and extensibility of the Internet. A lack of input validation, poor database configuration, and the priority of new features over security enables hackers to access sensitive information.
The connectivity of the Internet is both a blessing and a curse. HTTP is allowed through virtually every network firewall, opening up the network to external attackers. HTTP is also a very open protocol, which often integrates XML and SOAP inside to help facilitate Web service functions. The explosion of Web 2.0 architectures has shattered the traditional network boundaries, making it even more challenging to secure Web input and output.
Underscoring these issues is the fact that many internal databases are now becoming “Webified” and accessible to external users. Properly configured databases and SQL construction is critical. Developers that are not trained in secure coding put too much trust in user input. It is this lack of input validation that enables mass SQL injection bots to successfully attack databases.
Finally, the extensibility of Web applications leads to greater vulnerabilities since the priority of features usually comes before security. All too often “scope creep” comes into play as new widgets and bells and whistles are added in the middle of the software development life cycle. These additions should require a security review, but this rarely happens. A common complaint heard by Web application security professionals is that implementing security to an application under development is like trying to change a tire on a car that is still moving.
Weathering the attack storm
It is not enough to know about these incidents and risk factors; you must also understand how to protect the integrity of Web applications. If you know a hurricane is approaching, it is irresponsible not to shutter your house. Likewise, if you know Web security incidents are occurring, it is irresponsible not to protect the Web site.
An effective Web security strategy should be able to correlate Web activity to the responsible user, as well as detect abnormal actions. Additionally, poorly coded applications that are not functioning properly or are leaking sensitive information must be identified. Finally, operations, security, and development teams should be able to quickly conduct proper incident response by using operation data to troubleshoot problems and remediate identified vulnerabilities.
Companies with these security strategies can be assured they are running a safe and secure site.
Barnett is a contriutor to Network World, an InfoWorld affiliate, and director of application security research for Breach Security, a SANS Institute faculty member, the OWASP ModSecurity Core Rule Set (CRS) project leader, and a member of the Web Application Security Consortium (WASC), where he leads the Distributed Open Proxy Honeypot Project.
Read more about wide area network in Network World's Wide Area Network section.