The first part of our column Effective Web application security risk assessment in 12 steps, dealt with first six steps to ensure a thorough Web application security assessment exercise within stipulated timeframes. This installment will detail the remaining six best practices to conduct Web application security assessments.
Maintain a repository of useful online security resources: A repository containing references (names, URLs, Google Search keywords) of essential online security resources could prove useful for the auditors during the Web application security assessment. The online security resources might be sample test scripts, sample exploits, mitigation and remediation techniques for vulnerabilities, and quick interactive tutorials on security tools.
Checklist-driven approach: Checklist-driven Web application security assessment comprises a checklist of potential vulnerabilities (covering different categories). The auditors use this checklist as baseline to audit the Web application against all known vulnerabilities. This approach is useful for vulnerability assessment (VA) type of engagements. For an effective risk assessment, auditors should consistently upgrade the checklist to cover the latest vulnerabilities. However, this approach cannot be used for penetration testing (PT) type of engagements where trophies and successful infiltration on key assets are major risk assessment objectives. In this case, auditors can prepare a list of possible known attacks, which can be attempted on the target Web application during PT.
Target low privileged user roles and high value asset: It is logical to start the Web application security assessment with low privileged user roles and target critical functionalities that handle sensitive data in the initial phases. This approach will greatly enhance the probability of identifying critical/high risk security flaws early in the risk assessment cycle.
Focus on identifying vulnerability categories: When risk assessment timelines are stringent, it is always advisable for the auditors to focus more on identifying different vulnerabilities (category wise) rather than targeting more instances of a specific vulnerability. This approach ensures that the Web application security assessment is in-depth, wide and complete.
Map high risk security issues in the application’s source code: VA/PT is a different approach when compared with a manual application’s source code review. However, when the stakes are high, assessment time window is limited, and the target Web application’s code base is readily available, it is better to merge both the approaches to form an effective Web application security assessment methodology. In this methodology, the critical/high risk security vulnerabilities identified using VA/PT are mapped in the application’s source code. This provides the application development team a clear picture about the root cause of the vulnerability and helps them save significant time and effort while mitigating the security issues.
Report the identified security issues: Despite identifying critical/high risk security issues, auditors often fail to properly articulate them to convey the actual impact on the business in the Web application security assessment report. As a result, the management and application teams are unable to clearly understand the vulnerabilities, their impact on the application/business and how these can be avoided in future.
The following points should be considered while reporting any vulnerability in the security risk assessment report:
• The vulnerability should be properly named, categorized and backed with granular details like vulnerable page/Web form/functionality URLs, vulnerable field/HTML parameter/form names.
• Always provide a ‘brief description’ and ‘specific scenario’ about the vulnerability. While the brief description provides basic information about the vulnerability, the specific scenario highlights the nature, root cause of occurrence and its impact on the Web application.
• An appropriate ‘risk rating’ should be calculated for the vulnerability depending upon factors like probability to exploit (likelihood), potential impact, application dynamics and data classification.
• The vulnerability should be backed by a proper ‘recommendation’ section, highlighting the general and specific mitigation techniques along with references (external links/URLs) of useful online resources.
A successful Web application security assessment requires a perfect blend of accurate risk assessment planning, tools, processes and techniques, their proper execution, and last but not the least, auditor’s skills and expertise.
About the author: Sachin Kediyal is a security consultant with IBM GBS - Security & Privacy Consulting Practice. He has worked in various capacities ranging from a developer to an infosec consultant for organizations like IBM, Tata Consultancy Services and Micropro in a career span of over six years. Kediyal has expertise in application security and performing security risk assessments. He is an active volunteer member of OWASP India and has conducted numerous trainings on application security and secure coding for his clients. For any suggestions, queries or feedback on this article you can reach the author at firstname.lastname@example.org