Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Web Application Security--The Next Evolution

Web applications enable companies to conduct business with customers and partners, delivering highly valuable, and often confidential, information across enterprise barriers. However, the value of Internet communications cannot be realized until users have confidence that Internet channels are secure.


advertisement
The Future of Web Applications: Web Services
Today's global Internet environment is a muddled mix of different operating systems, technologies, and protocols—all which are widely dispersed throughout the world. This mixture creates significant barriers for applications to communicate with each other. Web services technology was created in order to mitigate these barriers, using XML formats that allow applications to invoke application calls with one another. Using SOAP (Simple Object Access Protocol), Web services applications have more flexibility to communicate with one another, which increases the speed and functionality of communication transactions.

Although Web services have the potential to be very powerful for both application developers and users, they also can be a nightmare for security officers and system administrators. Additional security measures need to be in place because the Web services format was designed to bypass existing security measures, to be platform-independent, and to support any application call structure. In the rush to deploy and use Web services technology, companies face the real danger of exposing their systems to costly attacks.

The flexibility found in SOAP and other technologies makes communication among applications easy, but it also allows hackers to intercept and manipulate messages more easily. SOAP messages typically are transparent to firewalls, which helps them move more quickly through the network, but this negates an important element of perimeter protection and could expose unforeseen threats.



Applications continue to become more functional and flexible, which increases their value to business operations, but it also exposes many potential security problems. Progressive companies that look to take advantage of these emerging technologies may gain a significant competitive advantage, but they must be sure to address the accompanying security issues to avoid costly breeches to their information systems.

The Application Layer Security Threat
According to a recent report by Gartner, over 70 percent of Web attacks occur at the application layer. In addition, the FBI estimates that Web application attacks caused more than $300 million in damages in 2000. Hackers no longer need in-depth technical knowledge to gain access to the network or operating system. They simply use browser-based applications as an entry point to corporate information systems.

Operating Systems
Operating systems, like all software products, contain bugs—no matter how mature or well tested they are. Even if patches are applied immediately, local configurations and administrator mistakes may mean they don't solve the problem correctly and that vulnerabilities persist undetected.

Web Servers and Application Development Tools
As with operating systems, Web servers and surrounding development tools have known vulnerabilities and patches that are well publicized. While an operating system is a single entity whose complexity can lead to configuration mistakes, in the case of Web servers and development tools, a single page can be composed of many components. Each page is therefore exposed to multiple security threats because of flaws in the multiple products used.

Network Protocols
The standard Web protocol, IP, was not designed to be secure, and neither were its companion protocols, TCP, UDP, ARP, etc. Anyone who can send packets to the network can target a system for attack. Often such attacks place Trojan horse programs on a system or exploit operating system vulnerabilities to disrupt services.

Application Protocols
HTTP also was not designed to be secure or to handle today's multiplicity of content control and presentation tools, such as HTML, Flash, JScript, and VBScript. Originally designed for hypertext transfer that required non-persistent sessions, this protocol is now being used by business-critical applications that require it to support persistent sessions as part of a true client/server architecture. The solution to keeping session information alive is the use of cookies, which also were not designed to be secure.

Applications
Contemporary development methodologies do not include security as a deliverable, measurable component of a project. Moreover, most encourage the utilization of existing "proven" modules from other developers, without care for the security implications or previous use of these modules. Often, protocols and industry standard recommendations are sacrificed on the altar of functionality.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap