Research: Hardening Web Applications
Hardening Next-Gen Web Applications
Application security is a hot topic today. It was a hot topic last month, and we believe it will stay a hot topic well into the future. As we discussed in our October 2008 InformationWeek Analytics State of Software Protection report, there may be no such thing as a bulletproof app, but that doesn’t mean we’re not trying: Over half of the business technology professionals we surveyed for that report had application security strategies in place, and in our current Web 2.0 Survey of 382 respondents—all of whom have responsibility for the development, deployment or ongoing security of Web 2.0 applications—again, more than half say they have deployed protection for these applications.
“The issue with security is how to best employ common practices when adapting to a Web model that exchanges information between applications residing on different servers,” says one respondent to our 2010 survey. “This issue, in reality, has been around from the beginning of e-commerce. As the e-industry gets bigger, so do the lines of attack and problems that go with it. Not much different than the fraud attacks done by simple telephone calls!”
In our 2008 report we examined how developers and security organizations could work together to make their applications as bulletproof as possible. Now, we’ll examine some of the new pitfalls organizations need to avoid and explore changes in the security landscape. For example, IT should review and update methodologies each year or as the business changes, and consider bringing in someone with a fresh perspective. Don’t be inflexible; compromise deadlines for security when you must, but have a plan to get it done. And, be fair with requirements. The payoff will be better cooperation from the business. We’ll also detail an actual Web 2.0 application exploit and discuss how to find, defend against and remediate it.
Table of Contents
4 Author’s Bio
5 Executive Summary
6 Research Synopsis
7 Separation of Powers
10 Right Tools for the Job
12 Sample Function: PHP Sanitation
14 Dig Deeper
16 Don’t Sit Still
17 Natural Born Enemies
20 Strike a Balance
25 Anatomy of an Attack
32 Appendix
About the Author
Adam Ely is director of security for TiVo. As an InformationWeek Reports contributor, he has authored multiple research reports on data and code security. He previously led a software development group at Walt Disney Co., where he implemented secure coding standards and source code analysis processes.
Adam gained extensive experience with enterprise and cloud security while supporting applications and services for clients such as AmEx, Citi and Expedia as manager of information security with TRX. He has published numerous security vulnerabilities and papers and conducts security research with leading firms to advance threat analysis and protections.
Adam currently serves as a member of the Journal Editorial Review Committee for ISACA and sits on the advisory board for an information security consulting firm. Adam has released numerous application vulnerability advisories, authored and contributed to open source security applications, and is the co-author of the Center for Internet Security Tomcat Benchmark.
He holds an MBA from Florida State University; a BS in information technology from Capella University; and multiple certifications, including CISSP, CISA, NSA IAM and MCSE.
Be the first one to comment.