At each layer, IT professionals must be aware of the vulnerability, put measures in place to address it, and then assume the measures will fail. If additional layers of security are in place, the web application is much better positioned to handle an attack.

A web application draws upon nearly every facet of an organization's IT infrastructure. Securing the application requires a multi-layered approach, addressing vulnerabilities at all levels of the application and its security context. This article discusses such a multi-layered approach.

Hardening the Enterprise:

A secure web application begins with a secure foundation. The operating system, database, and other supporting applications must first be hardened and secured.
This requires implementing and vigorously following a coherent plan for patch management. Systems and applications must be baselined to a common security risk level, patches and updates must be monitored and evaluated for their criticality, and finally important patches and updates must be tested and deployed.

Encrypting Transmitted Data:

Sensitive data that is to be passed across the Internet must be secured through an appropriate level of encryption. The Secure Sockets Layer (SSL) protocol, with its characteristic lock symbol at the bottom of the browser, is the standard means of encrypting data over the wire.
SSL also enables server and client authentication for those concerned with identity fraud.

However, just because a site uses 128-bit encryption should not lull security-minded
IT professionals into a false sense of security. SSL guards the confidentiality of data while it is transmitted, but it does nothing to secure private data stored on the web server. Encryption is only one piece of the larger security puzzle – often necessary but not sufficient alone to secure a web application.


Guarding the Perimeters:

Today's web applications often include sophisticated e-commerce and credit card transactions, e-banking, auctions, message boards, etc. With all of this data exchanged between web sites and users, not only must sensitive data be secured, but the types of access and activities must also be restricted. Using packet filtering, firewalls can restrict the types of activity allowed, such as permitting web access and email but denying telnet and ftp. Proxy servers can be interposed between users and the web at large to insulate users from pernicious attacks via the web. Also, inspections of packet contents go a step further by restricting access to only those with particular IP addresses or domain names, assuring that only those whom your organization trusts can gain access to the web applications.

Again, however, guarding the perimeters is only one measure in a multi-layered security strategy for your web applications. Once access to the web application is gained, an intruder may have unfettered access to the enterprise if additional security measures in place.

Vulnerability Scanners:

Vulnerability scanners have been used for years to help identify network security flaws. Such scanners are automated tools that remotely check a network for known vulnerabilities. Some may look for signs such as registry entries to determine if specific patches or updates have been implemented. Others actually attempt to exploit known vulnerabilities and collect and analyze responses. Scanners range in price from free and open source scanners to quite expensive commercial tools.

Good scanners today can achieve more than 90% vulnerability coverage on an average network. However, they are weak at the application level because they rely on known and documented
flaws. Flaws and vulnerabilities within custom code are unlikely to be documented in scanner databases.
Thus, for web applications, vulnerability scanners should be viewed as simply one additional tool to be consulted.

Writing Secure Code:

Building web applications with code that is secure is perhaps most critical. Unfortunately, security concerns often take a back seat in the drive to simply getting the application up and running.
But time pressure is not the only culprit here. Often developers have little
understanding of, or appreciation for, security concerns. And even when they do, other factors may compromise solid work and good intentions. Incorporating sample or open source code, working with offshore vendors, and code sharing may introduce unsuspected vulnerabilities.

In addition, although modular code is good for productivity, subtle interactions between code modules may leave security leaks in the application. Finally, the sheer complexity and lines of code
may be beyond the scrutiny of even the best developer.

Writing secure code is unfortunately an imprecise art, dependent upon the knowledge and talent of application developers. For this reason it is important that developers be trained in security issues, and that they work together with system administrators from the beginning stages of application
development to identify potential security concerns. More minds are better than fewer when it comes to code reviews and practices, and organizations which produce secure applications makes good code a priority.

Security Assessments:

Given how thorny it can be to identify security vulnerabilities in custom applications, it is critical to have regular and frequent security assessments performed by a knowledgeable team. This is especially true of sites that are often changed and updated. Last minute seasonal promotions and other rushed web site changes are inevitable. With scheduled security risk assessments, security concerns are incorporated into the daily chaos rather than dismissed as an uncomfortable afterthought.

Summary:

Web applications sit atop the IT infrastructure, leaving them vulnerable not only to their unique risks but to the risks of all supporting infrastructure – network vulnerabilities, back-end weaknesses, application server glitches, web server holes, and human error. For this reason securing web applications is perhaps the most difficult security challenge an organization faces. It takes a multi-level approach and a combination of technology tools and a team of savvy IT professionals working together to truly secure those critical web applications.

About Jonathan Coupal:


Jonathan Coupal is the Vice President and Chief Technology Officer of ITX Corp. Mr. Coupal manages both the day-to-day and strategic operations of the Technology Integration Practice Group. Among Mr. Coupal's greatest strengths are evaluating customers' unique problems, developing innovative, cost effective solutions and providing a "best practice" implementation methodology. Mr. Coupal's extensive knowledge and experience enables him to fully analyze client systems to recommend the most effective technologies and solutions that will both optimize their business processes and fulfill immediate and future goals. Mr. Coupal and his team build a high level of trust with clients, establishing ITX as their IT partner of choice.
Mr. Coupal holds certifications with Microsoft and CompTia, including MCSE, MCSA, Security+, Linux+ and i-Net+, and served as a Subject Matter Expert (SME) for the development of the CompTia Linux+.

About ITX Corp:

ITX Corp is a business consulting and technology solutions firm focused in nine practice areas including Business Performance, Internet Marketing, IT Staffing, IT Solution Strategies and Implementation, Technical Services, Internet Services, and Technology Research. To learn more about what ITX can do for you visit our website at www.itx.net or contact us at (800) 600-7785.