Application security assessments, part 1: An opportunity for VARs and consultants

With the explosion of Internet-based commerce, companies are more vulnerable than ever to exploitation. While many different aspects of a corporate network are vulnerable to attack, Web application servers and the transitions they manage are prime targets of criminal hackers. Companies have many weapons in their security arsenal, but traditional testing of security controls, such as firewalls, is no longer sufficient to protect organizations doing business on the Internet. As a value-added reseller (VAR) or security consultant offering application security assessments, you can help your customers stay ahead of this evolving threat.

Application security assessments provide customers with invaluable insight to their state of Web security. By testing a site with the techniques and tools typically used by malicious users, you can provide customers with a list of prioritized vulnerabilities and technical recommendations to remediate them.

While best practice dictates putting databases behind a firewall to minimize the possibility of public access, Web applications require access by the Internet-using public. Traditional technical security controls, such as packet filtering firewalls, always allow traffic; this is a necessary condition for the site to work. Depending on the general architecture and purpose of the site, a user may or may not need to sign into an account prior to accessing the dynamic portion of the site. User logins are helpful by limiting access to parts of the site based on user credentials, but are not fool proof if the application server is flawed.

Over the last few years, techniques to attack Web applications have matured into a ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server OS and Web Application security Web application security best practices: Tips on implementation Web application firewalls: How they can help protect customers Web application firewall market is hot for resellers, service providers Portcullis Systems adds HP security products to Microsoft customers Netgear primes VARs for SMB email and Web security appliance sales What operating systems can you best afford or support? Why you need Web application security expertise Despite GreenBorder acquisition, Google security plan remains unclear Windows services locked down in Vista and Longhorn Filter URLs to reduce information security threats Information Security Threats Mitigating zero-day vulnerabilities in customers' environments Getting to know the NERC CIP standards UTM appliances bundle security, give VARs multiple revenue streams Remote vulnerability scanning: Process, roles and responsibilities Data breach prevention techniques: Helping customers avoid data breaches Full disk encryption: A hot opportunity for VARs Top security tips for solutions providers Common injection attacks Checklist: Five steps to assessing a customer's antivirus protection Polymorphic malware attacks and in-line scanning Application Security Web application firewalls: How they can help protect customers Web application firewall market is hot for resellers, service providers Outlook Web Access security: Helping channel customers stay safe Application firewalls create opportunities for VARs and integrators Why you need Web application security expertise Email filtering: Choosing a content filtering tool for your customer Use hosted email filtering for virus protection Content filtering: An integrated approach How to use an ISA Server as an SMTP filter Antivirus trends and strategies

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

sophisticated niche within the hacker community. Knowledge of how HTTP DATA, POSTs and GETs work within form fields, Web proxies and SQL are all part of the knowledge base required to hack applications. Hackers who focus on applications use a permitted channel (tcp/80 and tcp/443) to access the site and bypass the traditional security controls. By manipulating what information goes to the application a hacker can force the application to do almost anything. More troubling is that in manipulating the application, the hacker can use the trusted relationship between the application server and the database to gain inappropriate access to sensitive information found on the site.

To complicate matters further, the security issues associated with Web application servers are beyond the skill set of many traditional network security engineering functions. The security flaws are usually attributed to poor code design within the application's compiled software and cannot be corrected directly. This is where an application security assessment conducted by a qualified VAR or consultant proves useful.

Come back for part two of this series where we'll explore the process of conducting a Web application security assessment.

About the author
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.

Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.