When it comes to securing applications on a network, limiting privileges is the golden rule. Vulnerabilities that expose web applications start with the database and work outwards towards the application code itself. Users or application functions should be given only as much access to the database as necessary.
Disabling (or at least properly protecting) the administrator account is a given. The default sa account password is NULL in SQL Server, for example. If you do not change it, you make it easier for attackers to gain access. "It is best to disable that [account] entirely and only use Windows authentication via Active Directory. User accounts can benefit from the same permissions and models that the directory does," says David Hartley, senior security consultant at IT consulting firm Activity. "That means that you have a fine and granular approach. It means that people are limited in their activities."
Security tools can also be inserted in front of or behind a web application to make it harder to break into. Web application firewalls are the obvious choice. Instead of simply monitoring packets at a port level like a normal firewall, they carry out deep packet inspection to understand what the traffic is doing.
"The threats we prevent are the usual ones we would expect, such as cross-site scripting, hidden field manipulation and cookie poisoning." says Ian Schenkel, EMEA vice-president of Protegrity, which sells an application firewall product. "We have a combination of whitelist and also negative firewalling. So we will update the whitelist of known attacks from time to time while making sure that its up to date," he says.
Whitelisting checks traffic patterns against an expected traffic profile for a particular application. If the traffic does not match the expected pattern, it gets dropped. Negative firewall models rely on blocking known attacks. Each has their own merits, explains Schenkel's colleague, Mohamed Zouine, a senior technical consultant at Protegrity.
Whitelists are more secure, because they can block unexpected attacks, but they are also prone to false positives and are best suited to applications that will be accessed by only a small number of controlled sources, he says. An application only accessed as a web service by other applications in the country might be a good example. Negative models work better for applications with a large base of users accessing a web application unpredictably.
Another mitigation option is to impose access control or encryption on the database. Application Security's dbProtect product can monitor access to the database and raise the alert should something suspicious happen. "We look for not only known security issues, but also unusual behaviour such as the DBA performing a SELECT on the credit card column," says Julian. That helps to monitor for insider attacks, too.
Databases have featured native encryption for some time. SQL Server has had it since version 2005, and Oracle started shipping data encryption in version 10g release 2. However, Protegrity's Zouine argues that with many companies using multiple databases from different suppliers, it becomes increasingly difficult to manage native encryption. Instead, he advocates the firm's own system, which handles the encryption process and keys centrally.
With so many vulnerabilities to worry about, and with so little time and budget, life can be depressing for people in charge of web and application security. Still, keep your chin up. It turns out that these attacks work both ways. For every sophisticated coder working in the criminal underground, there are tens of neophytes looking to make a quick buck. They use phishing toolkits and slap sites together just as ineptly as the most unsuccessful corporate programmers.
There is a growth market in hacking phishing sites, many of which store entered password details in something as simple as a text file generated from an online guest book. They can have their data stolen even more easily than you can. It may be cold comfort, but at least legitimate coders are not the only ones getting frustrated with online crime.
Johnny Long's Google Hacking Site provides a guide to finding vulnerable web applications using carefully-crafted Google searches. Alternatively, you could use the Cult of the Dead Cow's automated Goolag tool. Do not forget to check the OWASP site for vulnerability and exploit information. And for light relief, here is a cartoon about SQL injection. Who would have thought that DROP TABLE commands could be humorous?
This article first appeared in Infosecurity magazine
This was first published in October 2008