SlideShare ist ein Scribd-Unternehmen logo

Web application security from reactive to proactive

•
•
I
ingenioustech

Dear Students Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain JAVA .NET EMBEDDED SYSTEMS ROBOTICS MECHANICAL MATLAB etc For further details contact us: enquiry@ingenioustech.in 044-42046028 or 8428302179. Ingenious Techno Solution #241/85, 4th floor Rangarajapuram main road, Kodambakkam (Power House) http://www.ingenioustech.in/

BildungTechnologie
1 von 3
Downloaden Sie, um offline zu lesen
Smart It Web-Application Security: From Reactive to © argus456 | Dreamstime.com Proactive John R. Maguire and H. Gilbert Miller, Noblis M any organizations Conspicuously absent in this The Ignore-then-Fix-It bring security to the process is any specific consider- Cycle forefront of Web- ation for the application’s secu- Most organizations approach Web- applications design rity. Yet organizations can’t afford application security in a counter- only after an incident occurs. to let such scenarios persist, par- productive cycle: During design, The result is generally an expen- ticularly in light of the trend of they largely ignore it or address it sive, knee-jerk reaction to security increased attacks made clear in ineffectively. When security inci- problems that might have been the “Symantec Global Internet dents occur, not only is security avoided with intelligently planned Security Threat Report: Trends suddenly a top concern, but man- controls. for 2009” (Symantec white paper, agement must find someone to Apr. 2010). contain the damage and fix its root A Typical Scenario In helping clients assess cause. Because no one has pro- The typical Web-application de- application-layer vulnerabilities, actively sought application-security velopment scenario goes some- Noblis has found that organiza- training or put a process in place thing like this: Decision makers tions often don’t protect their ap- to find such problems, the best the see a business opportunity to plications because they don’t fully organization can do is hope that provide a service via the Web, so understand how popular secu- the scale of the incident is small. they assemble a design team. The rity controls, such as firewalls and More often than not, the task of team produces a design that re- vulnerability scanning, relate to preventing and mitigating attacks flects the business requirements the application layer. An analysis falls heavily on the administra- and passes it to Web developers based on this incomplete knowl- tor or the application’s develop- and programmers, who race to edge can’t provide an accurate risk ers, who are already trying to meet deliver the system on time and assessment. constantly evolving business pri- within the budget with limited Solutions and guidelines are orities. When incidents occur, resources. The nearly complete readily available, but managers security eventually becomes their system might then undergo must know what questions to ask second full-time job, and without final user-acceptance testing to use such aids effectively. Initial additional resources, they’re forced and quality assurance to ensure steps can be as simple as imple- to juggle their competing roles. it meets the stated business re- menting a policy for third-party The security of newly designed quirements. Once the application vulnerability assessments at the applications thus receives little passes those tests, it’s declared application layer. A trained expert attention until the next incident is complete and is pressed into pro- can also help set up a process for encountered, and the ignore-then- duction as quickly as possible so implementing solutions during fix-it cycle begins anew. the organization can realize its application design, thus building This failing isn’t caused by a lack gain. in security measures. of resources or solutions, which 1520-9202/10/$26.00 © 2010 IEEE Published by the IEEE Computer Society computer.org/ITPro 7
Smart It are readily available; rather, it’s the believe that the risk associated Understand the product of the management mind- with compromise will be mini- Application Layer set. Even managers with websites mal. Unfortunately, they can’t see The first step in reversing the that are considered to be at greater that they’ve failed to imagine the trend of compromised websites is risk of attack—such as financial, full extent of potential problems. to understand why controls that government, and e-commerce sites— Consequently, they’re reluctant operate below the application layer simply aren’t putting enough con- to invest in measures beyond can’t protect the application. trols into their design, develop- scanning, which provides only The OSI layers operate inde- ment, and operational processes to minimal vulnerability detection. pendently, so if an attacker exploits avoid serious security incidents that Regardless of the decision mak- a weakness in software running originate at the application layer. ers’ beliefs or level of awareness, at layer 7, controls intended to the organizations they represent secure the system’s lower layers Uninformed Risk Analysis clearly have a responsibility for the won’t prevent the attack. Thus, a Resistance to proactively imple- information systems under their packet-filtering firewall at layer 3 menting application-layer security control. This idea is paramount in won’t prevent an attack targeting often stems from the perceived compliance legislation such as the a publicly available Web applica- expense of the process and the Sarbanes-Oxley Act of 2002 (www. tion, nor will a vulnerability scan- idea that many decision makers soxlaw.com), the Health Insurance ner configured to find weaknesses view risk as a natural part of doing Portability and Accountability at lower layers effectively identify business. The traditional choices Act (www.hhs.gov/ocr/privacy), and problems at higher layers. are to avoid, reduce, transfer, or the Federal Information Security accept the identified risk. Management Act of 2002 (http:// Become Proactive But if risk identification is un- csrc.nist.gov/groups/SMA/fisma). The second step is to become pro- reliable, then the decision mak- More generally, it falls within the active instead of reactive, which ers aren’t sufficiently informed to IT community’s expected norms means performing a vulnerability make such choices. For example, of behavior, which apply to every assessment at the application layer one highly significant cost that organization—whatever the na- to identify problems. tends to be overlooked is the ture of its Web applications or un- The recommended approach is potential reputation loss from a derlying business. to bring in a neutral third party security incident. The details of how to address specifically trained in securing Another commonly unfore- application risk will ultimately de- Web applications. However, even a seen factor is that the victims of pend on the organization’s busi- simple assessment or an automated an attack can extend well beyond ness requirements and the amount scan against a reliable checklist of the organizational boundary. For of risk it’s comfortable with. How- the most common vulnerabilities example, attackers can steal cus- ever, any website could be vulner- is better than nothing. This will tomer data and use it for fraudu- able to attack. An organization help identify problem areas so lent purposes (as in identity theft). shouldn’t assume that its website staff can describe each problem’s In other scenarios, they can sub- is exempt because it doesn’t pro- potential impact and recommend vert the application to carry out cess financial transactions or store a mitigation strategy. phishing or other attacks on un- personally identifiable informa- Realistic expectations are also related third parties (as in mal- tion. Attackers have countless rea- important. At most, an assessment ware distribution). Informed risk sons for compromising an asset. can provide insights into the prob- analysis therefore must involve a They might use the asset as a foot lem areas and the effort required to mechanism not only to detect vul- in the door for a deeper attack or address them; nothing will com- nerabilities but also to accurately simply as a mechanism for distrib- pletely attack-proof a site. However, determine who or what the actual uting malware. a policy for periodically assessing targets of attacks might be and to an application’s security can find more accurately forecast potential Reversing the Trend and remove vulnerabilities before losses if such attacks occur. At the heart of ineffective Web- they become security incidents. This short-sightedness is rooted application security is a funda- in a larger problem that some have mental misunderstanding of avail- Use the Standards called a failure of imagination. able controls and which layers of The third step is to implement Managers accept their incomplete the Open Systems Interconnection readily available standards, guide- security assessment because they (OSI) protocol stack they protect. lines, and best practices. With the 8 IT Pro July/August 2010
amount of guidance available security assessments, if imple- as early as possible. Security ex- in standards documents, organi- mented properly, the control can perts should participate directly zations have little excuse not to improve the application’s overall throughout—from the drawing conduct at least a cursory check security posture. We advise bolt- board through production. for application vulnerabilities. ing additional layers of security W Several software vendors sell onto an application that incorpo- eb-application devel- automated application-layer vul- rated security from the very first opment is a complex nerability scanners (for a list of blueprints. The trick is to put the area with many simul- vulnerabilities, see the Open Web correct control in place in the right taneous activities, each of which Application Security Project’s Top way. Security vendors often inflate presents an opportunity to intro- Ten Issue List at www.owasp.org/ their products’ abilities, making it duce exploitable vulnerabilities. index.php/Category:OWASP_Top_ easy for managers to underestimate The de facto security measure is to Ten_Project). the full cost of the control once it’s focus on nearly everything but the Managers are naturally attracted in place. For example, many man- application itself. Here’s a sobering to such solutions because automa- agers underestimate the staff hours thought for all managers respon- tion is a straightforward and easily associated with running the tools, sible for Web applications: With- understood concept. Automated reviewing the results, and taking out proactive consideration for tools can be an integral part of appropriate actions. the application’s security, attackers an overall security-assessment can bypass nearly all lower-layer process, but they can’t replace Designing In security controls simply by using the experience of a trained eye; The design-in approach aims to the application in a way its devel- an expert can assess and qualify identify potential problem areas opers didn’t envision. The result is risks that tools can’t. Managers as early as possible—when they’re often the total compromise of the tempted to adopt a scanner-only far less expensive to fix—and then information system’s confidential- approach should think again— assist in designing them out rather ity, integrity, or availability. security is a process, not a product. than trying to patch them later. Organizations must ensure the In this more proactive ap- security of their Web applications, Implementation Choices proach, a security expert joins the not only to protect their invest- Organizations have two choic- project team at the start and ac- ment and reputation but also to es when implementing Web- tively participates during all proj- remain accountable to the ap- application security: bolt security ect life-cycle stages. Early on, the plications’ users. By not address- onto a completed application or expert critiques the design. Then, ing vulnerabilities proactively and design it in from the beginning. toward the middle of the project, early on, organizations can leave the expert might perform code re- themselves open to devastating Bolting On views. Finally, toward the project’s consequences. And with guidance Any security mechanism added end, he or she might help the team and expertise readily available, to a completed Web application prepare for certification activities. such a gamble would seem to be a is a compensating control. Other risk not worth taking. than simple neglect, there could Cost Trade-offs be other reasons why bolting on Fundamentally, security is a busi- John R. Maguire is a manager at Nob- security is an organization’s only ness decision. Fixing security lis and a credentialed Computer Infor- choice. For example, if an organi- vulnerabilities costs money—how mation System Security Professional. He zation purchases a closed-source much generally depends on when received a BS in decision sciences and commercial-off-the-shelf product the issues are identified. management information systems from whose company subsequently On the surface, incorporating George Mason University. Contact him folds, then it might have no other security from the beginning ap- at john.maguire@noblis.org. way to mitigate a new-found vul- pears to be the more expensive nerability in the product. In this option, but in practice it often H. Gilbert Miller is a member of IT case, the organization could bolt ends up being less costly. For most Professional’s advisory board and cor- on an intrusion-prevention sys- organizations engaged in Web- porate vice president and chief technol- tem to inspect packets at the application development, the ideal ogy officer at Noblis. He received a PhD application layer. approach is to introduce security in engineering and public policy from Although no such measure can as a separate and distinct project Carnegie Mellon University. Contact him replace proactive and periodic role and assign team members at hgmiller@noblis.org. computer.org/ITPro 9

Empfohlen

Throughput optimization in
Throughput optimization inThroughput optimization in
Throughput optimization iningenioustech
 
Vebek
VebekVebek
Vebekingenioustech
 
Peace
PeacePeace
Peaceingenioustech
 
Exploiting dynamic resource allocation for
Exploiting dynamic resource allocation forExploiting dynamic resource allocation for
Exploiting dynamic resource allocation foringenioustech
 
Tcp
TcpTcp
Tcpingenioustech
 
Supporting efficient and scalable multicasting
Supporting efficient and scalable multicastingSupporting efficient and scalable multicasting
Supporting efficient and scalable multicastingingenioustech
 
Monitoring service systems from
Monitoring service systems fromMonitoring service systems from
Monitoring service systems fromingenioustech
 
Locally consistent concept factorization for
Locally consistent concept factorization forLocally consistent concept factorization for
Locally consistent concept factorization foringenioustech
 

Empfohlen

Throughput optimization in
Throughput optimization inThroughput optimization in
Throughput optimization iningenioustech
 
Vebek
VebekVebek
Vebekingenioustech
 
Peace
PeacePeace
Peaceingenioustech
 
Exploiting dynamic resource allocation for
Exploiting dynamic resource allocation forExploiting dynamic resource allocation for
Exploiting dynamic resource allocation foringenioustech
 
Tcp
TcpTcp
Tcpingenioustech
 
Supporting efficient and scalable multicasting
Supporting efficient and scalable multicastingSupporting efficient and scalable multicasting
Supporting efficient and scalable multicastingingenioustech
 
Monitoring service systems from
Monitoring service systems fromMonitoring service systems from
Monitoring service systems fromingenioustech
 
Locally consistent concept factorization for
Locally consistent concept factorization forLocally consistent concept factorization for
Locally consistent concept factorization foringenioustech
 
Measurement and diagnosis of address
Measurement and diagnosis of addressMeasurement and diagnosis of address
Measurement and diagnosis of addressingenioustech
 
Impact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferImpact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferingenioustech
 
Efficient computation of range aggregates
Efficient computation of range aggregatesEfficient computation of range aggregates
Efficient computation of range aggregatesingenioustech
 
Dynamic measurement aware
Dynamic measurement awareDynamic measurement aware
Dynamic measurement awareingenioustech
 
Design and evaluation of a proxy cache for
Design and evaluation of a proxy cache forDesign and evaluation of a proxy cache for
Design and evaluation of a proxy cache foringenioustech
 
Privacy preserving
Privacy preservingPrivacy preserving
Privacy preservingingenioustech
 
Phish market protocol
Phish market protocolPhish market protocol
Phish market protocolingenioustech
 
Peering equilibrium multi path routing
Peering equilibrium multi path routingPeering equilibrium multi path routing
Peering equilibrium multi path routingingenioustech
 
Online social network
Online social networkOnline social network
Online social networkingenioustech
 
On the quality of service of crash recovery
On the quality of service of crash recoveryOn the quality of service of crash recovery
On the quality of service of crash recoveryingenioustech
 
Layered approach
Layered approachLayered approach
Layered approachingenioustech
 
It auditing to assure a secure cloud computing
It auditing to assure a secure cloud computingIt auditing to assure a secure cloud computing
It auditing to assure a secure cloud computingingenioustech
 
Intrution detection
Intrution detectionIntrution detection
Intrution detectioningenioustech
 
Bayesian classifiers programmed in sql
Bayesian classifiers programmed in sqlBayesian classifiers programmed in sql
Bayesian classifiers programmed in sqlingenioustech
 
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]ingenioustech
 
Applied research of e learning
Applied research of e learningApplied research of e learning
Applied research of e learningingenioustech
 
Active reranking for web image search
Active reranking for web image searchActive reranking for web image search
Active reranking for web image searchingenioustech
 
A dynamic performance-based_flow_control
A dynamic performance-based_flow_controlA dynamic performance-based_flow_control
A dynamic performance-based_flow_controlingenioustech
 
Java & dotnet titles
Java & dotnet titlesJava & dotnet titles
Java & dotnet titlesingenioustech
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 

Weitere ähnliche Inhalte

Mehr von ingenioustech

Measurement and diagnosis of address
Measurement and diagnosis of addressMeasurement and diagnosis of address
Measurement and diagnosis of addressingenioustech
 
Impact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferImpact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferingenioustech
 
Efficient computation of range aggregates
Efficient computation of range aggregatesEfficient computation of range aggregates
Efficient computation of range aggregatesingenioustech
 
Dynamic measurement aware
Dynamic measurement awareDynamic measurement aware
Dynamic measurement awareingenioustech
 
Design and evaluation of a proxy cache for
Design and evaluation of a proxy cache forDesign and evaluation of a proxy cache for
Design and evaluation of a proxy cache foringenioustech
 
Privacy preserving
Privacy preservingPrivacy preserving
Privacy preservingingenioustech
 
Phish market protocol
Phish market protocolPhish market protocol
Phish market protocolingenioustech
 
Peering equilibrium multi path routing
Peering equilibrium multi path routingPeering equilibrium multi path routing
Peering equilibrium multi path routingingenioustech
 
Online social network
Online social networkOnline social network
Online social networkingenioustech
 
On the quality of service of crash recovery
On the quality of service of crash recoveryOn the quality of service of crash recovery
On the quality of service of crash recoveryingenioustech
 
Layered approach
Layered approachLayered approach
Layered approachingenioustech
 
It auditing to assure a secure cloud computing
It auditing to assure a secure cloud computingIt auditing to assure a secure cloud computing
It auditing to assure a secure cloud computingingenioustech
 
Intrution detection
Intrution detectionIntrution detection
Intrution detectioningenioustech
 
Bayesian classifiers programmed in sql
Bayesian classifiers programmed in sqlBayesian classifiers programmed in sql
Bayesian classifiers programmed in sqlingenioustech
 
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]ingenioustech
 
Applied research of e learning
Applied research of e learningApplied research of e learning
Applied research of e learningingenioustech
 
Active reranking for web image search
Active reranking for web image searchActive reranking for web image search
Active reranking for web image searchingenioustech
 
A dynamic performance-based_flow_control
A dynamic performance-based_flow_controlA dynamic performance-based_flow_control
A dynamic performance-based_flow_controlingenioustech
 
Java & dotnet titles
Java & dotnet titlesJava & dotnet titles
Java & dotnet titlesingenioustech
 

Mehr von ingenioustech (19)

Measurement and diagnosis of address
Measurement and diagnosis of addressMeasurement and diagnosis of address
Measurement and diagnosis of address
 
Impact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferImpact of le arrivals and departures on buffer
Impact of le arrivals and departures on buffer
 
Efficient computation of range aggregates
Efficient computation of range aggregatesEfficient computation of range aggregates
Efficient computation of range aggregates
 
Dynamic measurement aware
Dynamic measurement awareDynamic measurement aware
Dynamic measurement aware
 
Design and evaluation of a proxy cache for
Design and evaluation of a proxy cache forDesign and evaluation of a proxy cache for
Design and evaluation of a proxy cache for
 
Privacy preserving
Privacy preservingPrivacy preserving
Privacy preserving
 
Phish market protocol
Phish market protocolPhish market protocol
Phish market protocol
 
Peering equilibrium multi path routing
Peering equilibrium multi path routingPeering equilibrium multi path routing
Peering equilibrium multi path routing
 
Online social network
Online social networkOnline social network
Online social network
 
On the quality of service of crash recovery
On the quality of service of crash recoveryOn the quality of service of crash recovery
On the quality of service of crash recovery
 
Layered approach
Layered approachLayered approach
Layered approach
 
It auditing to assure a secure cloud computing
It auditing to assure a secure cloud computingIt auditing to assure a secure cloud computing
It auditing to assure a secure cloud computing
 
Intrution detection
Intrution detectionIntrution detection
Intrution detection
 
Bayesian classifiers programmed in sql
Bayesian classifiers programmed in sqlBayesian classifiers programmed in sql
Bayesian classifiers programmed in sql
 
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]
Conditional%20 shortest%20path%20routing%20in%20delay%20tolerant%20networks[1]
 
Applied research of e learning
Applied research of e learningApplied research of e learning
Applied research of e learning
 
Active reranking for web image search
Active reranking for web image searchActive reranking for web image search
Active reranking for web image search
 
A dynamic performance-based_flow_control
A dynamic performance-based_flow_controlA dynamic performance-based_flow_control
A dynamic performance-based_flow_control
 
Java & dotnet titles
Java & dotnet titlesJava & dotnet titles
Java & dotnet titles
 

KĂĽrzlich hochgeladen

Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 

KĂĽrzlich hochgeladen (20)

Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 

Web application security from reactive to proactive

  • 1. Smart It Web-Application Security: From Reactive to © argus456 | Dreamstime.com Proactive John R. Maguire and H. Gilbert Miller, Noblis M any organizations Conspicuously absent in this The Ignore-then-Fix-It bring security to the process is any specific consider- Cycle forefront of Web- ation for the application’s secu- Most organizations approach Web- applications design rity. Yet organizations can’t afford application security in a counter- only after an incident occurs. to let such scenarios persist, par- productive cycle: During design, The result is generally an expen- ticularly in light of the trend of they largely ignore it or address it sive, knee-jerk reaction to security increased attacks made clear in ineffectively. When security inci- problems that might have been the “Symantec Global Internet dents occur, not only is security avoided with intelligently planned Security Threat Report: Trends suddenly a top concern, but man- controls. for 2009” (Symantec white paper, agement must find someone to Apr. 2010). contain the damage and fix its root A Typical Scenario In helping clients assess cause. Because no one has pro- The typical Web-application de- application-layer vulnerabilities, actively sought application-security velopment scenario goes some- Noblis has found that organiza- training or put a process in place thing like this: Decision makers tions often don’t protect their ap- to find such problems, the best the see a business opportunity to plications because they don’t fully organization can do is hope that provide a service via the Web, so understand how popular secu- the scale of the incident is small. they assemble a design team. The rity controls, such as firewalls and More often than not, the task of team produces a design that re- vulnerability scanning, relate to preventing and mitigating attacks flects the business requirements the application layer. An analysis falls heavily on the administra- and passes it to Web developers based on this incomplete knowl- tor or the application’s develop- and programmers, who race to edge can’t provide an accurate risk ers, who are already trying to meet deliver the system on time and assessment. constantly evolving business pri- within the budget with limited Solutions and guidelines are orities. When incidents occur, resources. The nearly complete readily available, but managers security eventually becomes their system might then undergo must know what questions to ask second full-time job, and without final user-acceptance testing to use such aids effectively. Initial additional resources, they’re forced and quality assurance to ensure steps can be as simple as imple- to juggle their competing roles. it meets the stated business re- menting a policy for third-party The security of newly designed quirements. Once the application vulnerability assessments at the applications thus receives little passes those tests, it’s declared application layer. A trained expert attention until the next incident is complete and is pressed into pro- can also help set up a process for encountered, and the ignore-then- duction as quickly as possible so implementing solutions during fix-it cycle begins anew. the organization can realize its application design, thus building This failing isn’t caused by a lack gain. in security measures. of resources or solutions, which 1520-9202/10/$26.00 © 2010 IEEE Published by the IEEE Computer Society computer.org/ITPro 7
  • 2. Smart It are readily available; rather, it’s the believe that the risk associated Understand the product of the management mind- with compromise will be mini- Application Layer set. Even managers with websites mal. Unfortunately, they can’t see The first step in reversing the that are considered to be at greater that they’ve failed to imagine the trend of compromised websites is risk of attack—such as financial, full extent of potential problems. to understand why controls that government, and e-commerce sites— Consequently, they’re reluctant operate below the application layer simply aren’t putting enough con- to invest in measures beyond can’t protect the application. trols into their design, develop- scanning, which provides only The OSI layers operate inde- ment, and operational processes to minimal vulnerability detection. pendently, so if an attacker exploits avoid serious security incidents that Regardless of the decision mak- a weakness in software running originate at the application layer. ers’ beliefs or level of awareness, at layer 7, controls intended to the organizations they represent secure the system’s lower layers Uninformed Risk Analysis clearly have a responsibility for the won’t prevent the attack. Thus, a Resistance to proactively imple- information systems under their packet-filtering firewall at layer 3 menting application-layer security control. This idea is paramount in won’t prevent an attack targeting often stems from the perceived compliance legislation such as the a publicly available Web applica- expense of the process and the Sarbanes-Oxley Act of 2002 (www. tion, nor will a vulnerability scan- idea that many decision makers soxlaw.com), the Health Insurance ner configured to find weaknesses view risk as a natural part of doing Portability and Accountability at lower layers effectively identify business. The traditional choices Act (www.hhs.gov/ocr/privacy), and problems at higher layers. are to avoid, reduce, transfer, or the Federal Information Security accept the identified risk. Management Act of 2002 (http:// Become Proactive But if risk identification is un- csrc.nist.gov/groups/SMA/fisma). The second step is to become pro- reliable, then the decision mak- More generally, it falls within the active instead of reactive, which ers aren’t sufficiently informed to IT community’s expected norms means performing a vulnerability make such choices. For example, of behavior, which apply to every assessment at the application layer one highly significant cost that organization—whatever the na- to identify problems. tends to be overlooked is the ture of its Web applications or un- The recommended approach is potential reputation loss from a derlying business. to bring in a neutral third party security incident. The details of how to address specifically trained in securing Another commonly unfore- application risk will ultimately de- Web applications. However, even a seen factor is that the victims of pend on the organization’s busi- simple assessment or an automated an attack can extend well beyond ness requirements and the amount scan against a reliable checklist of the organizational boundary. For of risk it’s comfortable with. How- the most common vulnerabilities example, attackers can steal cus- ever, any website could be vulner- is better than nothing. This will tomer data and use it for fraudu- able to attack. An organization help identify problem areas so lent purposes (as in identity theft). shouldn’t assume that its website staff can describe each problem’s In other scenarios, they can sub- is exempt because it doesn’t pro- potential impact and recommend vert the application to carry out cess financial transactions or store a mitigation strategy. phishing or other attacks on un- personally identifiable informa- Realistic expectations are also related third parties (as in mal- tion. Attackers have countless rea- important. At most, an assessment ware distribution). Informed risk sons for compromising an asset. can provide insights into the prob- analysis therefore must involve a They might use the asset as a foot lem areas and the effort required to mechanism not only to detect vul- in the door for a deeper attack or address them; nothing will com- nerabilities but also to accurately simply as a mechanism for distrib- pletely attack-proof a site. However, determine who or what the actual uting malware. a policy for periodically assessing targets of attacks might be and to an application’s security can find more accurately forecast potential Reversing the Trend and remove vulnerabilities before losses if such attacks occur. At the heart of ineffective Web- they become security incidents. This short-sightedness is rooted application security is a funda- in a larger problem that some have mental misunderstanding of avail- Use the Standards called a failure of imagination. able controls and which layers of The third step is to implement Managers accept their incomplete the Open Systems Interconnection readily available standards, guide- security assessment because they (OSI) protocol stack they protect. lines, and best practices. With the 8 IT Pro July/August 2010
  • 3. amount of guidance available security assessments, if imple- as early as possible. Security ex- in standards documents, organi- mented properly, the control can perts should participate directly zations have little excuse not to improve the application’s overall throughout—from the drawing conduct at least a cursory check security posture. We advise bolt- board through production. for application vulnerabilities. ing additional layers of security W Several software vendors sell onto an application that incorpo- eb-application devel- automated application-layer vul- rated security from the very first opment is a complex nerability scanners (for a list of blueprints. The trick is to put the area with many simul- vulnerabilities, see the Open Web correct control in place in the right taneous activities, each of which Application Security Project’s Top way. Security vendors often inflate presents an opportunity to intro- Ten Issue List at www.owasp.org/ their products’ abilities, making it duce exploitable vulnerabilities. index.php/Category:OWASP_Top_ easy for managers to underestimate The de facto security measure is to Ten_Project). the full cost of the control once it’s focus on nearly everything but the Managers are naturally attracted in place. For example, many man- application itself. Here’s a sobering to such solutions because automa- agers underestimate the staff hours thought for all managers respon- tion is a straightforward and easily associated with running the tools, sible for Web applications: With- understood concept. Automated reviewing the results, and taking out proactive consideration for tools can be an integral part of appropriate actions. the application’s security, attackers an overall security-assessment can bypass nearly all lower-layer process, but they can’t replace Designing In security controls simply by using the experience of a trained eye; The design-in approach aims to the application in a way its devel- an expert can assess and qualify identify potential problem areas opers didn’t envision. The result is risks that tools can’t. Managers as early as possible—when they’re often the total compromise of the tempted to adopt a scanner-only far less expensive to fix—and then information system’s confidential- approach should think again— assist in designing them out rather ity, integrity, or availability. security is a process, not a product. than trying to patch them later. Organizations must ensure the In this more proactive ap- security of their Web applications, Implementation Choices proach, a security expert joins the not only to protect their invest- Organizations have two choic- project team at the start and ac- ment and reputation but also to es when implementing Web- tively participates during all proj- remain accountable to the ap- application security: bolt security ect life-cycle stages. Early on, the plications’ users. By not address- onto a completed application or expert critiques the design. Then, ing vulnerabilities proactively and design it in from the beginning. toward the middle of the project, early on, organizations can leave the expert might perform code re- themselves open to devastating Bolting On views. Finally, toward the project’s consequences. And with guidance Any security mechanism added end, he or she might help the team and expertise readily available, to a completed Web application prepare for certification activities. such a gamble would seem to be a is a compensating control. Other risk not worth taking. than simple neglect, there could Cost Trade-offs be other reasons why bolting on Fundamentally, security is a busi- John R. Maguire is a manager at Nob- security is an organization’s only ness decision. Fixing security lis and a credentialed Computer Infor- choice. For example, if an organi- vulnerabilities costs money—how mation System Security Professional. He zation purchases a closed-source much generally depends on when received a BS in decision sciences and commercial-off-the-shelf product the issues are identified. management information systems from whose company subsequently On the surface, incorporating George Mason University. Contact him folds, then it might have no other security from the beginning ap- at john.maguire@noblis.org. way to mitigate a new-found vul- pears to be the more expensive nerability in the product. In this option, but in practice it often H. Gilbert Miller is a member of IT case, the organization could bolt ends up being less costly. For most Professional’s advisory board and cor- on an intrusion-prevention sys- organizations engaged in Web- porate vice president and chief technol- tem to inspect packets at the application development, the ideal ogy officer at Noblis. He received a PhD application layer. approach is to introduce security in engineering and public policy from Although no such measure can as a separate and distinct project Carnegie Mellon University. Contact him replace proactive and periodic role and assign team members at hgmiller@noblis.org. computer.org/ITPro 9