With the explosion of Internet-based commerce, companies are more vulnerable than ever to exploitation. While many different aspects of a corporate network are vulnerable to attack, Web application servers and the transitions they manage are prime targets of criminal hackers. Companies have many weapons in their security arsenal, but traditional testing of security controls, such as firewalls, is no longer sufficient to protect organizations doing business on the Internet. As a value-added reseller (VAR) or security consultant offering application security assessments, you can help your customers stay ahead of this evolving threat.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
 |
||||
|
|
|||
|
||||
Application security assessments provide customers with invaluable insight to their state of Web security. By testing a site with the techniques and tools typically used by malicious users, you can provide customers with a list of prioritized vulnerabilities and technical recommendations to remediate them.
While best practice dictates putting databases behind a firewall to minimize the possibility of public access, Web applications require access by the Internet-using public. Traditional technical security controls, such as packet filtering firewalls, always allow traffic; this is a necessary condition for the site to work. Depending on the general architecture and purpose of the site, a user may or may not need to sign into an account prior to accessing the dynamic portion of the site. User logins are helpful by limiting access to parts of the site based on user credentials, but are not fool proof if the application server is flawed.
Over the last few years, techniques to attack Web applications have matured into a sophisticated niche within the hacker community. Knowledge of how HTTP DATA, POSTs and GETs work within form fields, Web proxies and SQL are all part of the knowledge base required to hack applications. Hackers who focus on applications use a permitted channel (tcp/80 and tcp/443) to access the site and bypass the traditional security controls. By manipulating what information goes to the application a hacker can force the application to do almost anything. More troubling is that in manipulating the application, the hacker can use the trusted relationship between the application server and the database to gain inappropriate access to sensitive information found on the site.
To complicate matters further, the security issues associated with Web application servers are beyond the skill set of many traditional network security engineering functions. The security flaws are usually attributed to poor code design within the application's compiled software and cannot be corrected directly. This is where an application security assessment conducted by a qualified VAR or consultant proves useful.
Come back for part two of this series where we'll explore the process of conducting a Web application security assessment.
About the author
|
|
|
|
|
|
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.
Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.
This was first published in October 2006