When it comes to securing applications on a network, limiting
privileges is the golden rule. Vulnerabilities that expose web
applications start with the database and work outwards towards the
application code itself. Users or application functions should be
given only as much access to the database as necessary.
Disabling (or at least properly protecting) the administrator
account is a given. The default sa account password is NULL in SQL
Server, for example. If you do not change it, you make it easier
for attackers to gain access. "It is best to disable that [account]
entirely and only use Windows authentication via Active Directory.
User accounts can benefit from the same permissions and models that
the directory does," says David Hartley, senior security consultant
at IT consulting firm Activity. "That means that you have a fine
and granular approach. It means that people are limited in their
activities."
Security tools can also be inserted in front of or behind a web
application to make it harder to break into. Web application
firewalls are the obvious choice. Instead of simply monitoring
packets at a port level like a normal firewall, they carry out
deep
packet inspection to understand what the traffic is doing.
"The threats we prevent are the usual ones we would expect, such
as cross-site scripting, hidden field manipulation and cookie
poisoning." says Ian Schenkel, EMEA vice-president of Protegrity,
which sells an application firewall product. "We have a combination
of whitelist and also negative firewalling. So we will update the
whitelist of known attacks from time to time while making sure that
its up to date," he says.
Whitelisting checks traffic patterns against an expected traffic
profile for a particular application. If the traffic does not match
the expected pattern, it gets dropped. Negative firewall models
rely on blocking known attacks. Each has their own merits, explains
Schenkel's colleague, Mohamed Zouine, a senior technical consultant
at Protegrity.
Whitelists are more secure, because they can block unexpected
attacks, but they are also prone to false positives and are best
suited to applications that will be accessed by only a small number
of controlled sources, he says. An application only accessed as a
web service by other applications in the country might be a good
example. Negative models work better for applications with a large
base of users accessing a web application unpredictably.
Another mitigation option is to impose access control or
encryption on the database. Application Security's dbProtect
product can monitor access to the database and raise the alert
should something suspicious happen. "We look for not only known
security issues, but also unusual behaviour such as the DBA
performing a SELECT on the credit card column," says Julian. That
helps to monitor for insider attacks, too.
Databases have featured native encryption for some time. SQL
Server has had it since version 2005, and Oracle started shipping
data encryption in version 10g release 2. However, Protegrity's
Zouine argues that with many companies using multiple databases
from different suppliers, it becomes increasingly difficult to
manage native encryption. Instead, he advocates the firm's own
system, which handles the encryption process and keys
centrally.
With so many vulnerabilities to worry about, and with so little
time and budget, life can be depressing for people in charge of web
and application security. Still, keep your chin up. It turns out
that these attacks work both ways. For every sophisticated coder
working in the criminal underground, there are tens of neophytes
looking to make a quick buck. They use phishing toolkits and slap
sites together just as ineptly as the most unsuccessful corporate
programmers.
There is a growth market in hacking phishing sites, many of
which store entered password details in something as simple as a
text file generated from an online guest book. They can have their
data stolen even more easily than you can. It may be cold comfort,
but at least legitimate coders are not the only ones getting
frustrated with online crime.
Useful info
Johnny Long's
Google Hacking Site provides a guide to finding vulnerable web
applications using carefully-crafted Google searches.
Alternatively, you could use the Cult of the Dead Cow's automated
Goolag tool. Do not forget to
check the OWASP
site for vulnerability and exploit information. And for light
relief, here is a cartoon about SQL
injection. Who would have thought that DROP TABLE commands
could be humorous?
This article first appeared in Infosecurity
magazine