Friday, March 7, 2008

Securing Web Applications

Basic Guidelines for providing security for Web Applications

By using security-specific processes to create applications, software development teams can guard security violations. Specifically, we can apply several basic guidelines to existing applications and new or re-engineered applications throughout your process to help achieve greater security and lower remediation costs, such as:

  • Discover and create baselines: Conduct a complete inventory of applications and systems, including technical information (e.g. Internet Protocol [IP], Domain name system [DNS], OS used), plus business information (e.g., Who authorized the deployment? Who should be notified if the application fails?). Next, scan your Web infrastructure for common vulnerabilities and exploits. Check list servers and bug tracking sites for any known attacks on your OS, Web server and other third-party products. Prior to loading your application on a server, ensure that the server has been patched, hardened and scanned. Then, scan your application for vulnerabilities to known attacks, looking at HTTP requests and other opportunities for data manipulation. And, finally, test application authentication and user-rights management features and terminate unknown services.

  • Assess and assign risks: Rate applications and systems for risk - focusing on data stores, access control, user provisioning and rights management. Prioritize application vulnerabilities discovered during assessments. Review organizational, industry and governmental policy compliance. And identify both acceptable and unacceptable operations.

  • Shield your application and control damage: Stay on top of known security threats and apply available patches to your applications and/or infrastructure. If you cannot fix a security issue, use an application firewall, restrict access, disable the application or relocate it to minimize exposure.

  • Continuously monitor and review: Schedule assessments as part of your documented change management process. When you close one out, immediately initiate a new discovery stage.

No comments: