Student Shelter In Computers - Web Application Security

Your web applications are under siege. Cyber-criminals attack around the clock, steal data, disrupt access, and compromise website credentials to commit further fraud. Next generation firewalls, Intrusion Prevention Systems and other traditional network security controls don’t stop the latest industrialized, multi-vector attacks, leaving your organization exposed to costly and damaging breaches and downtime. Web Application Security solutions from Imperva enable you to prevent breaches and downtime by protecting your data where it’s accessed – your web applications – securing them against web attacks, DDoS, site scraping, and fraud.

Web Application Security
Headlines like “Web Application Vulnerabilities Continue to Skyrocket,” and “9 Ways Web Apps Woo Hackers,” are timeless. Since the first web application was able to deliver rich content to visitors, attackers have looked to exploit any holes they could to damage, deface, and defraud. As the trend to deliver applications through web browsers continues to grow, the number of vulnerabilities available to cyber criminals grows exponentially.

As most businesses rely on web sites to deliver content to their customers, interact with customers, and sell products certain technologies are often deployed to handle the different tasks of a web site. A content management system like Joomla! or Drupal may be the solution used to build a robust web site filled with product, or service, related content. Businesses often turn to blogs using applications like WordPress or forums running on phpBB that rely on user generated content from the community to give customers a voice through comments and discussions. ZenCart and Magento are often the solutions to the e-commerce needs of both small and large businesses who sell directly on the web. Add in the thousands of proprietary applications that web sites rely and the reason securing web applications should be a top priority for any web site owner, no matter how big or small.

Risks Associated with Web Applications

Web applications allow visitors access to the most critical resources of a web site, the web server and the database server. Like any software, developers of web applications spend a great deal of time on features and functionality and dedicate very little time to security. Its not that developers don’t care about security, nothing could be further from the truth. The reason so little time is spent on security is often due to a lack of understanding of security on the part of the developer or a lack of time dedicated to security on the part of the project manager.

For whatever reason, applications are often riddled with vulnerabilities that are used by attackers to gain access to either the web server or the database server. From there any number of things can happen. They can:

Preventing Web Application Attacks

With web application firewall you can avoid many different threats to web applications because inspects your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited.

Architected as plug & play software, provides optimal out-of-the-box protection against DoS threats, cross-site scripting, SQL Injection attacks, path traversal and many other web attack techniques.

The reasonsoffers such a comprehensive solution to your web application security needs are:

How does an attacker launch an attack against a web application?

There are many different ways malicious hackers attack a web application. Simply doing a bit of research with Google can expose a number of vulnerabilities in some of the most popular web applications like WordPress, ZenCart, Joomla!, Drupal, and MediaWiki. Not only are the vulnerabilities in these applications, and many others, easy to find - but with an automated search attackers can find exactly which web sites have not fixed these vulnerabilities.

SQL Injection

SQL Injection works by the attacker finding an area on a web site that allows for user input that is not filtered for escape characters. User login areas are often targeted because they have a direct link to the database since credentials are often checked against a user table of some sort. By injecting a SQL statement, like ‘ ) OR 1=1--, the attacker can access information stored in the web site’s database. Of course, the example used above represents a relatively simple SQL statement. Ones used by attackers are often much more sophisticated if they know what the tables in the database are since these complex statements can generally produce better results.

Cross Site Scripting

Cross Site Scripting (XSS) attacks occur when an attacker is able to inject a malicious client-side script into a vulnerable web page. When these scripts are run, they can be used to install malicious software on the visitor’s computer, steal a visitor’s cookie, or hijack a visitor’s session.

Remote Command Execution

Remote Command Execution vulnerabilities allow attackers to pass arbitrary commands to other applications. In severe cases, the attacker can obtain system level privileges allowing them to attack the servers from a remote location and execute whatever commands they need for their attack to be successful.

Path Traversal

Path Traversal vulnerabilities give the attacker access to files, directories, and commands that generally are not accessible because they reside outside the normal realm of the web document root directory. Unlike the other vulnerabilities discussed, Path Traversal exploits exist due to a security design error - not a coding error.

The Need to Avoid Attacks

With so many web sites running applications, attackers have taken to creating automated tools that can launch well coordinated attacks against a number of vulnerable web sites at once. With this capability, the targets of these malicious hackers are no longer limited to large corporate web sites. Smaller web sites are just as easily caught up in the net cast by these automated attacks.

The repercussion of having your web site compromised can be devastating to any business, no matter what the industry or size of the company. The after-effects of these attacks include:

Protect Yourself from Attacks Against Web Applications

unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.

The Pattern Recognition web application security engine employed by effectively protects against malicious behavior such as the attacks mentioned above, and many others. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, is characterized by an extremely low false positive rate.

What sets apart is that it offers comprehensive protection against threats to web applications while being one of the easiest solutions to use.

In just 10 clicks, a web administrator with no security training can have up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.

Securing Web Application

More than half of all breaches involve web applications* — yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production†.

Clearly, organizations need a way to replace fragmented, manual pen testing with ongoing, automated scanning so they can protect their global application infrastructures — without hiring more consultants or installing more servers and scanning tools.

The leading vector for cyber-attacks

Applications have become the path of least resistance for cyber-attackers because they are:

Constantly exposed to the Internet and easy to probe by outside attackers using freely available tools that look for common vulnerabilities such as SQL Injection.

Easier to attack than traditional targets such as the network and host operating system layers which have been hardened over time. Plus, networks and operating systems are further protected by mitigating controls such as next-generation firewalls and IDS/IPS systems.

Driven by short development cycles that increase the probability of design and coding errors — because security is often overlooked when the key objective is rapid time-to-market.

Assembled from hybrid code obtained from a mix of in-house development, outsourced code, third-party libraries and open source — without visibility into which components contain critical vulnerabilities.

Likely to present a larger attack surface with Web 2.0 technologies that incorporate complex client-side logic such as JavaScript (AJAX) and Adobe Flash.

Discover and continuously monitor all your web applications

Discovery: According to SANS, many organizations don’t even know how many applications they have in their domains. Our Discovery service addresses this visibility gap by creating a global inventory of all your public-facing web applications such as corporate sites, temporary marketing sites, related sites (.mail, .info, etc.), international domains and sites obtained via M&A. Plus, Discovery leverages our massively parallel, auto-scaling infrastructure to discover thousands of applications per day.

DynamicMP (Massively Parallel): Baseline your application risk by quickly identifying highly exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25. Leverage our massively parallel infrastructure to test thousands of web applications simultaneously with lightweight, non-authenticated dynamic scans. Rapidly mitigate risk by shutting down temporary sites and feeding security intelligence information to Web Application Firewalls (WAFs).

DynamicDS (Deep Scan): Perform a comprehensive deep scan that identifies web application vulnerabilities using both authenticated and non-authenticated scans, including looking for attack vectors such as cross-site scripting (XSS), SQL injection, insufficiently protected credentials and information leakage. Also integrates security intelligence information with WAFs to enable virtual patching.

Virtual Scan Appliance (VSA): Perform a deep scan of applications located behind the firewall, typically in QA or staging environments, in order to find vulnerabilities prior to deployment. The VSA also helps secure internal web applications from insider attacks or attacks by malicious outsiders who gain access to insider credentials.

Protect What Matters Most: Your Critical Web Applications and Data