Web Application Security--The Next Evolution : Page 3
Web applications enable companies to conduct business with customers and partners, delivering highly valuable, and often confidential, information across enterprise barriers. However, the value of Internet communications cannot be realized until users have confidence that Internet channels are secure.
by Yuval Ben-Itzhak
Dec 9, 2002
Page 3 of 4
Countermeasures to Application-level Threats
In addition to the standard security devices, such as firewalls and IDSs, any organization with a Web presence must consider the following steps to secure their Web applications and back-end infrastructure from potentially devastating attacks:
Increase Client and Server Security
All servers and connected client workstations should be able to withstand at least the most common types of attacks. All systems need to be configured correctly and the configuration must be reviewed regularly, servers must be physically protected, and the software must be patched to contain as few publicly known vulnerabilities as possible.
Partition the Network
Dividing the network into several smaller security domains increases network security. All traffic between domains should be strictly controlled and potential problems logged. This immediately puts a limit on the maximum amount of damage an attacker can cause and makes it easier both to detect and deal with intrusions.
Strongly Authenticate Users
A company must be able to provide the right information to the right person at the right time in a scalable, manageable, and cost-effective manner. This can be achieved only by forcing users to identify themselves at the point of entry, then managing their visit through privileges.
Implement a Virus Protection Strategy
Recently, blended threats that combine worm attacks with viruses and application exploits have caught many IT security systems off guard, and they likely will only increase in frequency. Therefore, implementing a strategy that not only protects against the delivery of viruses through email but also scans the IT environment and corrects any problems found is important.
Scan Your Web Applications Regularly
The vast majority of existing vulnerability assessment products do not cover application-level security threats. Web application vulnerability scanners are specifically designed to provide organizations with the ability to extend their vulnerability assessment to the critical application layer. Prior to releasing a new or updated Web-based system, the application should be scanned to ensure that poor application design or development doesnt cause any security holes. This provides a standard by which to measure all applications when they are brought online before they potentially expose the system to attacks.
On a regular basis (typically once per month) the application should be re-scanned to check for the impact of new potential vulnerabilities and ensure that patches and updates have been properly installed to maintain an acceptable level of security at the application environment.