The World Wide Web and the applications that run on it have come a long way since the invention of HTML by Tim Berners-Lee (British man I might add) in the early 1990’s. Back then the World Wide Web was a static web of text, images and hyperlinks. Nowadays we have the privilege (sometimes not) of having whole communities which solely exist in a dynamically evolving cyberspace with wikis, blogs, social networking, video sharing and a lot more. “Web 2.0” would not exist without the complex web applications that run on the millions of web servers across the globe.
So how do we go about securing our web applications?
There are many different ways in which web applications can be made more secure. In this article I am going to cover a few tools and techniques which make this possible.
WAF:
Web Application Firewall’s are applications which filter HTTP traffic looking for malicious code which could be used in attacks such as SQL Injection , Cross Site Scripting (XSS), File Inclusion and more.
According to OWASP (Open Web Application Security Project), the important criteria in selecting a WAF is the following:
Very Few False Positives
Strength of Default
Power and Ease of Learn Mode
Types of Vulnerabilities it can prevent
Ability to keep individual users constrained to their current session
Ability to be configured to prevent ANY specific problem
Form Factor: Software vs. Hardware
Web Application Vulnerability Scanners:
Web Application vulnerability scanners help improve security and minimise the risk of the application being exploited by automatically crawling the site actively looking for vulnerabilities. Once the scan has been completed the web application scanner will produce a report with its findings which a professional information security practitioner should then investigate and patch. These scans should be run on a regular basis.
Updates/Patches:
When using ready-made web applications such as blogs, CMSs, wikis, etc. It pays to keep the application updated to the latest version and patched against the latest bugs. Ready-made web applications are often targeted for their wide deployment. If a SQL Injection vulnerability is found within a bespoke application, it would only affect that particular application. However if a SQL Injection vulnerability was found in WordPress for example it would affect their nearly 8 million version 2.8 users (at the time of writing) including big names such as PlayStation, EBay and others. This is what makes ready-made web applications a bigger target and why it pays to keep software updated and patched.
References:
http://www.rfc-editor.org/rfc/rfc1866.txt
http://www.owasp.org/index.php/Web_Application_Firewall
http://wordpress.org/download/counter/
http://wordpress.org/showcase/
