Web Application Security Best Practices - How to Raise the Bar so Hackers Have to Work Hard to Get Through
As the number of Web sites reaches over 255 million and Internet users reach 2 billion, hackers continue to relentlessly attack at the Web application level. Exploiting SQL Injection, Cross-Site Scripting, Session Hijacking, Weak Passwords, and other vulnerabilities, they seek the low hanging fruit. No one is spared. Universities, Banks, Government Agencies, e-Retail companies, high-tech companies, and social networking sites like Twitter and Facebook have all been victims of repeated attacks. Businesses have lost billions of dollars in these breaches. Hacktivism and Cyberterrorism have become common among the Anonymous group and the Iranian Cyber Army has been more active in the last few months.
In spite of these breaches, most corporations are doing very little to secure their Web applications. With network infrastructure only fairly secure, hackers are going after the weakest link – Web applications. The majority of vulnerabilities continue to be in Web applications. Many of these vulnerabilities have a public exploit, and even when patches are available most companies still haven’t deployed these patches.
Although people have good intentions, of the seemingly overwhelming task securing applications causes delay. This is a dangerous game and in some ways, is analogous to avoiding the doctor while waiting for a heart attack to happen. If you don’t know that high cholesterol food can kill you, you’ll continue to have the same diet as before. In the case of Web application security, what you don’t know can really hurt you. In a recent study conducted by the Ponemon Institute, Cenzic, and Barracuda Networks, 72 percent of respondents test less than 10 percent of their Web applications, even though 73 percent admitted that they have been hacked at least once in the last 24 months.
In light of these alarming statistics, I wanted to share some of the best practices around Web application security – partly to build awareness and partly to provide tips so the task seems less daunting. These are all important and not necessarily in any specific order.
1. Know your apps - We find that in a lot of cases companies don’t even know how many Web applications they have or where are they. Taking an inventory of your applications is the most important step. You’d be surprised by how many rogue applications are out there. There are many solutions available to discover your applications.
2. Prioritize your apps – Not all apps are created equal. Once you know what apps you have, you should categorize them as critical (external facing with customer information), serious (external or internal containing some sensitive information), or normal (less exposure). You still need to have a plan to test them all, but categorization allows you to take smaller bites. For example, you can test the most critical applications with a full robust suite of attacks, serious ones with some common attacks, and the normal ones with a basic health check. Bite what you can chew.
3. Build awareness internally – Many of your employees have no clue what Web application security means. There are many resources that provide easily digestible information to the various constituents within a company. In many of the awareness training sessions I have done, I find that most employees in the information security group are at least somewhat knowledgeable about these issues. But, once you go beyond that to developers, Q.A., line of business managers, and executives, the knowledge drops quickly.
4. Bust those myths – As part of the awareness, you should help dismantle some of the myths surrounding application security. For example, SSL does not prevent hackers from exploiting your Web vulnerabilities, neither does a network firewall or IDS. Once people understand this, be aware of the buzz word “compliant vendors.” Many of them are riding the Web application security wave even though their solutions are focused on a completely different set of problems.
5. Create a plan – Remember if you don’t know where you are going, any road will take you there. The plan (Application Security Blueprint) should consist of your goals (compliance, brand protection, not getting fired, etc.), which apps you want to secure first (hint – critical), how are you going to test them (manual testing, using a managed service provider, using on-premise software, using a cloud solution, etc.), who should be involved in the process on an ongoing basis, and how much it would cost. Having a solid plan can help you justify your costs and make you a hero for protecting the company’s most important information assets.
6. Use a quantitative score for prioritization of vulnerabilities – Assuming you have the budget and you have started testing your applications for vulnerabilities, you will find that almost every application will have hundreds of vulnerabilities. This can be overwhelming and demoralizing, but fret not. If you prioritize these vulnerabilities based on some kind of quantitative score, the task becomes much more manageable for InfoSec and for development. Again, bite what you can chew.
7. Interim protection – Vulnerabilities typically don’t get fixed overnight. With developers already under pressure to get their Web applications out on time, they have to find time for security. Until you fix these vulnerabilities, you have to protect your infrastructure. You can do this by configuring your Web application firewalls for specific vulnerabilities and by removing some functionality if it makes business sense.
8. Don’t forget production applications – Most people focus only on applications that are going through the development lifecycle with new code or changes to an existing application. And, yes it’s important to test those. However, the majority of your apps are already in production and could be seriously vulnerable. You can’t afford to wait for the next set of changes to test for vulnerabilities.
9. Celebrate – If you don’t celebrate your small wins, your team will feel de-moralized. After each application you secure with no critical vulnerabilities, celebrate. For passing a compliance audit, celebrate. For doing better than other business units, celebrate. Remember this is a long trip and you have to enjoy the scenery once in a while.
10. Rinse and repeat – Application security is not a one-time check box. It’s a discipline. You have to use a continuous testing process so there’s an ongoing flow and not just a project. There are hundreds of new application vulnerabilities every month. If you don’t follow a continuous process, you will get deeper and deeper in the hole.
Trends show that attacks through Web sites are not going to slow down. Hacking is a lucrative career and Web applications are an easy target. There are many good resources available to help you get started with your initiatives including OWASP, SANS, and many free Webinars. There’s a lot of help available to move you along the process. You need to take that first step. While it will take a while to win the war, you can start winning the battles now. Raise the bar so hackers have to work hard to get through.