Webmaster dilemma : having to choose between “easy and quick developments” and security ? « 75% of malicious attacks on the web take place on the application layer (Gartner) » «... The evolution of web applications has been characterized by a relatively immature level of security awareness ... (Deloitte and Touche) »

Websites create value. Whether you are an e-merchant, an administration or a car manufacturer, your core values (accounting, supply chain, customer data, business info, …) are processed, stored and communicated via your internet applications and more generally thanks to your IT system. Web applications include of course web sites as well as business and logic internal applications, intranets, extranets, portals … It is a fact : more and more companies and administrations tend to ‘webize’ their IT infrastructure.

But there are counterparts : being open brings dangers and threats that are often underestimated …

Web protocols are not secure «More than 80% of all malware that emerged in the past year focus on application-level vulnerabilities (various sources, 2006). » « In June 2006, 92 SQL injection and 34 cross-site scripting (XSS) new vulnerabilities were recorded on our database (Secunia) »

These real threats result in : private data theft, illegal use of your website (for instance to host forbidden contents or spam relays), website defacement, e-commerce website abuse, unavailability, …

Major threats include : · Cross-site scripting (XSS) - arbitrary code injection in scripts · SQL injection - reading or modifying databases · Command injection - unauthorized command execution · Parameter/form tampering - sending false arguments to the application · Cookie/header tampering - HTTP fields use to send false values to the web server · Buffer overflow - overflowing buffer memory · Directory traversal/forceful browsing - access outside the application · 'Attack obfuscation' - attack masquerading, for instance via URL encoding Very well known security principles are confidentiality, availability, integrity and auditability. HTTP and HTTPS protocols give poor result on these aspects. Web protocols hardly authenticate, only partly guarantee confidentiality and integrity, … And malicious SSL traffic will remain illegitimate when processed by your website ! Keep in mind that an URL sent by a browser is a command line to your web server : for instance an URL generating an SQL command or activating a CGI script.

At last, web protocols do not impose input validation, this is the major cause of their ‘insecurity’ !

Coding secure web applications is a hard work « For far too many development professionals, Web application security only consists of producing applications that are functional and stable, not building hacker protection into the code or checking for SQL injection vulnerabilities (Spi Dynamics) »

Web protocols are not secure by default. But web application developers could strongly improve security standards with good coding principles. As M. Andrews and J. Whittaker mention in their Guide to Web Application Security : “If developers only validated their inputs to what they are expecting to be given, rather than attempting to filter for malicious inputs (if at all), then 80-90% of web application vulnerabilities would go away. SQL Injection -- gone, XSS -- gone, parameter tampering -- gone.”

Page 1 of 2 :: First | Last :: Prev | 1 2 | Next