Web application security is an area of IT security that deals primarily with the security of applications - are we vulnerable to SQL injection, cross-site scripting, XSRF, session fixation and a smorgasbord of other nasty Open Web Application Security Project (OWASP) stuff that can be unleashed over port 80 or 443, writes Mike Wiltshire (CISSP), head of services and application security at SureCloud.
Also, is the web server properly secured, and are there any other services on that host that could compromise our application? Finally, a good application security test should also validate that business logic cannot be circumvented by an attacker. We are told most internet-based attacks now occur via these two ports at the application layer.
Something that often gets overlooked when discussing application security is the information security element: What data are we exposing to the internet, and why? Can anyone infer our internal values and processes from what we reveal through a particular business application? Does this application actually fulfil some business requirement and does it really need to live on the internet, or could it be moved to a trusted network such as the LAN?
Application security is therefore a discipline that should span both IT security and information security, and care should be taken to apply due consideration during the early phases of the software lifecycle. A solid business justification for deploying a particular business function to the internet should be established during the initial planning stage before project sign-off. If available, compliance and legal teams should be consulted to provide guidance to an info security practitioner and the combined expertise should be sufficient to establish to the business owner whether there are any significant concerns, depending on the nature of the data.
For complex applications, the architecture and framework should also be scrutinised for potential vulnerabilities and causes for concern.
Once the design and development phases of an application project are under way, application security plays a role in ensuring that the final product is free of security defects that may compromise the application logic or data once it is in production. We have found that giving developers access to a web application scanning tool, such as Paros or Burp Proxy, for use during unit-testing increases overall awareness of security issues. This, in turn, reduces overall costs, because fewer fixes need to be made as a result of formal security testing later in the software development lifecycle.
When choosing a supplier for your application security testing, it is important to verify that they spend time understanding your application and its business purpose. This can be as simple as browsing an application, signing up for products, newsletters or services, and generally using the site in its intended way. But a greater insight into the intended functionality is critical in determining how best to circumvent its security controls, particularly business logic processes. Ask whether they can help you identify which applications should be tested; an application can span multiple domains and the person signing the invoice may not necessarily be aware of this.
An application source code review, combined with penetration testing of the application interfaces, is very effective in reducing the overall costs of security testing your applications.
Finally, make sure retesting is included to check that fixes do not introduce new vulnerabilities.