Security Experts:

Do You Know Your ABCs of Web Application Security?

Web Application Security May Seem Overwhelming, but it Shouldn't be. By Taking a Few Precautions, you can Protect Your Organization Against Hackers.

LulzSec takes a break, Anonymous picks up the slack. Unlike these “hacktivists” that are not motivated by profit, there are many other hacker organizations hiding in the shadows and hacking away websites for financial gains. There are many government sponsored hackers that are exploiting security holes to gain intellectual property information or security intelligence. It’s anarchy out there. Hackers are having a field day.

Strategies for Web Application SecurityWhen you go to brick-and-mortar stores you expect security and don’t expect someone to attack and steal your information. Yet, it could happen, but on very rare occasions. Stores take care of security issues. But, online is different. Retail stores and banks are collecting your information online but without enough security. It’s like an open invitation to the looters in the physical world.

So, what can online businesses do? They have a responsibility to provide adequate security for their web storefronts and to protect their customer information. They need to follow the ABCs of Web Application Security – Assessment of Web applications for Vulnerabilities, Blocking of those Vulnerabilities until they are fixed, and Correction of those Vulnerabilities in the long-term. Each of these steps is described below in more detail.

Assess

The first step to solving a problem is to find out what the problem is. In Web application security, you have to know where your security defects (commonly known as “vulnerabilities”) lie. These are vulnerabilities in your code for your website. Most common vulnerabilities that have been exploited recently in attacks against Sony, Facebook, Twitter, the Senate, and others, included SQL Injection and Cross-Site Scripting (XSS). However, there are many others that can be easily exploited including Session Management, Cross-Site Request Forgery (CSRF), Application Exception, Password Auto-Complete, Remote File Inclusion, Web Server Configuration, and many others.

There are many ways to find your vulnerabilities from manual testing to automated scanning tools. While large companies with expertise can use comprehensive software solutions for static and dynamic testing, small businesses with smaller budgets and expertise might be content with using new cloud-based application security solutions that are easy to use and affordable. Most of these solutions provide you detailed information on your security issues, specific URLs, and remediation to help you through the process.

Block

If you have found vulnerabilities in your Web application, the important question is what next? There are very few applications that have no vulnerabilities so the probability of one having several vulnerabilities is very high. There’s no way you can fix your vulnerabilities quickly. It can take a few days to few weeks to fix all your critical defects. But you can’t shut down your store. The first step is to prioritize these vulnerabilities based on some kind of a quantitative score. Some of the solutions offer a quantitative score that you can use to prioritize. While you are fixing the critical vulnerabilities, you need to block attackers from getting through and exploiting these holes. That’s where the Web Application Firewalls (WAFs) come in. Using the vulnerability information in the Assess part, you can configure your WAFs to help you block attackers until you have fixed the vulnerabilities.

Correct

The ultimate goal of having a solid application security process is to remediate your security defects. Using the detailed remediation help from the Assess part, you can have your developers fix these vulnerabilities. It’s also important to train your entire organization on application security issues.

While the process is pretty straightforward, many small businesses that are conducting e-commerce transactions online might be using third party providers for developing their code or for hosting their site. The important thing to remember is that even if you are relying on a third party to help you with your website, you are the one responsible for PCI 6.6 compliance and to protect your customer information. Here are a few tips and questions to deal with your third party providers:

- Third Party Developers: Many businesses outsource their website development to a third party or an individual developer. Please find out (ideally before you hire them) what their experience is in application security. Most developers were not trained in secure coding. Even if they are not knowledgeable about application security, they can seek help as long as you make it a requirement for them. It’s not a choice. It’s mandatory.

- Hosting Providers: Most small businesses host their websites with hosting providers and assume that their security issues will be addressed by the hosting provider. Bad assumption. Hosting providers have a thin profit margin and provide the basic amenities. Some might provide network firewalls and Intrusion Detection Systems (IDS) for an extra fee. Key question to ask them – do you provide a solution for application security? You’ll have to pay a fee but in the long run, it’s well worth it.

- Cloud Providers: As cloud computing goes mainstream, more businesses are finding cloud as an economical option for their Web infrastructure or Web application development tools. Some cloud providers will take care of network security for you while others do not. Most of them do not offer application security as a standard offering. Please make sure you ask them what they are responsible for versus you when it comes to in terms of network and application security.

While application security may seem overwhelming, it’s actually not. There are many easy options available and many people ready and willing to help. Hacking has become one of the most lucrative careers and websites are the lowest hanging fruit for these hackers to get in and exploit. Just by taking a few precautions as referenced above, you can protect yourself against hackers. It might be a little extra work in the beginning, but cost of one breach can be huge. Not only you have to deal with non-compliance issues with PCI 6.6 and other standards, hacked sites tend to drive customers away forever. Consumers feel comfortable in entering their personal information on sites that they feel are secure. Think of it as insurance. A little extra cost per year can save you millions in the long run. With the hackers lurking everywhere, it’s a question of when. You can never secure yourself 100 percent, but if you raise the bar, hackers will find someone else to hack into. You don’t have to outrun the bear, just the other guy.

Mandeep Khera is the Chief Marketing Officer at LogLogic. Prior to LogLogic, he was at Cenzic, a Web Application Security software and Cloud company, where he served as the CMO for 8 years. He has more than 25 years of diversified experience in marketing, engineering, business development, sales, customer services, finance and general management for companies such as VeriSign, Hewlett-Packard, Unisys, and many start-ups. You can follow him on Twitter at @appsecurity