Website Security, Application Firewalls, and Auditing at a Glance

A good article here on “at a glance” website auditing.

Take a look at any Website. Just by looking at the URL bar, I can glean several things right off the bat. If the site does a redirection to another page, it might show a file extension like “.aspx” or “.php.” In my experience, a .aspx extension generally implies that there are fewer cross-site request forgeries, fewer cross-site scripting vulnerabilities, and fewer login problems than a .asp classic site. And the HTTP headers help to tell what type of machine the Web server is.

It’s not perfect science but it’s a good place to start.

Reading that piece led me to another article somewhat related to one I wrote a few weeks ago that led to accusations of madness being levelled against me. In my blog “We can’t write secure code” (May 16th) I claimed that “systems are simply too complicated with too many lines of code for anyone to expect that they can be released without containing bugs and security holes” In Developer’s Dillemma , this theme is taken further:

We are at an interesting tipping point. On one hand, we are training our development teams to work faster, and usually with less quality, in an effort to quickly iterate on our code. Yet such haste pretty much eliminates the effort to analyze and fine-tune the code to reduce security issues.

It’s another arguement in favour of Web Application Firewalls. We can’t develop faster and be more secure at the same time so we need to put the security at a layer in front of the code. In fact, even OWASP agree. See this PowerPoint presentation from AppSec 2006 where Ivan Ristic states that web application firewalls are “an important building block in every HTTP network.”

At this very moment I’m reviewing a report I’ve been given relating to the security of a website. All the usual suspects are present: SQL Injection, Cross site scripting, error messages, and so on. It’s a production product, taking in and reporting live data. Fix the bugs or a WAF? We can’t take the site down and can only afford to do one or the other. I know where I’ll be saying we should be spending the money.