Pundit - Guard the Application Layer

By Eric Knorr

Thu, April 15, 2004CIO Back in the day, just before the launch of a dotcom I now regret being associated with, I asked our chief developer about security risks to subscriber data. "We’ve put two network cards in the Web server," he grinned. "So the database communicates with the Web server on a separate network. Anyone who hacked into our Web server wouldn’t even know the database was there."

Maybe that was good enough for 1998. But today, hackers and their attack strategies are smarter and much more ambitious. The threat of the day is the application attack, which sneaks through your firewall and into your Web applications. And yes, some of these attacks like to dine on tasty customer data.

If you’ve got a low-profile site, you probably don’t need to worry. But if a lot of people know about you, you’re at risk. It may sound paranoid, but someone could abscond with your customers’ Social Security numbers and you’d never know.

So why don’t ordinary firewalls stop these attacks? Because they’ve been designed to appear as well-formed traffic, with no unusually large packets or suspicious mismatches between address and content to sound the alarm. One of the most frightening examples is the SQL injection. Here, hackers can use one of your own HTML forms to run unauthorized queries on your database. Another threat: command execution. Whenever Web applications pass commands to a shell application, a clever hack can cause arbitrary commands to execute on the server.

Other attacks are simpler. For example, HTML comments often contain sensitive information, including log-ins left by incautious programmers. Ultimately, the lines of attack on the application layer-from altering cookies to changing hidden fields in HTML forms-are limited only by hacker imagination. But the good news is that most of these attacks can be stopped cold.

Two complementary approaches, when combined, provide a solid defense. First, use an application scanner to scour your Web apps for vulnerabilities. Then get yourself a Web application firewall to keep the bad guys from breaking and entering.

Application scanners basically launch a host of simulated attacks on your server and report on the results. KaVaDo ScanDo, Sanctum AppScan Audit and SPI Dynamics all do a pretty thorough job itemizing flaws and recommending fixes. AppScan Audit is particularly interesting, because it’s the after-the-fact member of a suite of products that help programmers catch vulnerabilities as they code. None of these packages, however, can beat a full-scale audit by security pros.
Loading...
Applications MarketSpace
Exchange 2007 Risks and Mitigation Strategies
This whitepaper will review the strengths of Exchange 2007 and areas where CIOs should consider third party solutions. Learn more »
Solving On-premise Email Challenges
This white paper presents ten on-premise challenges and their on-demand services solutions. Learn more »
An Open Framework for Business Intelligence
Architecting Business Intelligence Applications for Change Learn more »
Adobe for Business Process Automation
Companies must be able to react to customer demands, competitive threats, and compliance requirements. Learn more »
Increase Customer Satisfaction and Lower TCO
With Adobe® LiveCycle® Enterprise Suite (ES2) software, organizations can easily deploy intuitive user experiences. Learn more »
Practical Approaches for Securing Web Applications
Enterprises understand the importance of securing web applications to protect critical corporate and customer data. What many don't understand, is how to implement a robust process for integrating security and risk management throughout the web application software development lifecycle. Learn more »
Smart techniques for application security: whitebox + blackbox security testing.
An Executive's Guide to Web Application Security
Since so many Web sites contain vulnerabilities, hackers can leverage a relatively simple exploit to gain access to a wealth of sensitive information, such as credit card data, social security numbers and health records. It's more important than ever to examine your Web application security, assess your vulnerability and take action to protect your business. Learn more »
 
SPONSORED LINKS
 

CRM Built for IT: The Executive Guide to Selecting CRM that Meets IT Needs

ROI of Application Delivery Controllers

White Paper: 4 Customer Service Myths

White Paper: Improve Agility with Operational Responsiveness

Removing the Barriers to IT Governance: How On-Demand Software Changes the Game

Cloud Computing--Latest Buzzword or a Glimpse of the Future?

A Balanced Approach to an Application Development Platform

Adobe® LiveCycle®solutions for intuitive user experience

10 Ways Excel Drives More Value from Your SAP Investment

What's New in SOA Suite 11g?

Unleash the Power of Java with Oracle JRockit Real Time

SOA Best Practices and Design Patterns

Application Grid: Ideal Platform for IT Consolidation

Ready to virtualize tier one applications? Check your virtualization maturity.

Learn how to provide complete Business Service Management.

Increase ROI of Your Application Portfolio

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

See how AT&T can help protect your network.

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

What's Next for Enterprise Resource Planning?

Gartner Magic Quadrant, Application Delivery Controllers 2009

White Paper: Managed Security for a Not-So-Secure World

SharePoint - Unchecked growth of content is unsustainable.

Focus Under Pressure: Why IT Governance Becomes Mission-Critical in a Down Economy

Should Your Email Live In The Cloud? A Comparative Cost Analysis

Adobe® LiveCycle® solutions for business process automation

Architecting Business Intelligence Applications for Change: The Open Solution

Increase UPS efficiency without sacrificing protection.

Unlocking the Mainframe: Modernizing Legacy System to SOA

State of the Data Integration Market

Enhance Customer Loyalty through Higher Responsiveness

Achieving Business Agility with Application Grid

Seven Ways ITIL Can Help You in an Economic Downturn

Four steps to populate your CMDB.

"Enterprise-Proven" is the Prerequisite for Enterprise SaaS Portal Solutions

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

64-page prescriptive guide to security, compliance, and IT operations.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords