Pundit - Guard the Application Layer
Maybe that was good enough for 1998. But today, hackers and their attack strategies are smarter and much more ambitious. The threat of the day is the application attack, which sneaks through your firewall and into your Web applications. And yes, some of these attacks like to dine on tasty customer data.
If you’ve got a low-profile site, you probably don’t need to worry. But if a lot of people know about you, you’re at risk. It may sound paranoid, but someone could abscond with your customers’ Social Security numbers and you’d never know.
So why don’t ordinary firewalls stop these attacks? Because they’ve been designed to appear as well-formed traffic, with no unusually large packets or suspicious mismatches between address and content to sound the alarm. One of the most frightening examples is the SQL injection. Here, hackers can use one of your own HTML forms to run unauthorized queries on your database. Another threat: command execution. Whenever Web applications pass commands to a shell application, a clever hack can cause arbitrary commands to execute on the server.
Other attacks are simpler. For example, HTML comments often contain sensitive information, including log-ins left by incautious programmers. Ultimately, the lines of attack on the application layer-from altering cookies to changing hidden fields in HTML forms-are limited only by hacker imagination. But the good news is that most of these attacks can be stopped cold.
Two complementary approaches, when combined, provide a solid defense. First, use an application scanner to scour your Web apps for vulnerabilities. Then get yourself a Web application firewall to keep the bad guys from breaking and entering.
Application scanners basically launch a host of simulated attacks on your server and report on the results. KaVaDo ScanDo, Sanctum AppScan Audit and SPI Dynamics all do a pretty thorough job itemizing flaws and recommending fixes. AppScan Audit is particularly interesting, because it’s the after-the-fact member of a suite of products that help programmers catch vulnerabilities as they code. None of these packages, however, can beat a full-scale audit by security pros.
