Thursday, March 6, 2008

Web Applications Security

What makes Web applications vulnerable?

In the Open System Inconnection (OSI) reference model, every message travels through seven network protocol layers. The application layer at the top includes HTTP and other protocols that transport messages with content, including HTML, XML, Simple Object Access Protocol (SOAP) and Web services.

Today, i will focus on application attacks carried by HTTP - an approach that traditional firewalls do not effectively combat. Many hackers know how to make HTTP requests look benign at the network level, but the data within them is potentially harmful. HTTP-carried attacks can allow unrestricted access to databases, execute arbitrary system commands and even alter Web site content.

Without governance measures to manage security testing throughout the application delivery lifecyle, software teams can expose applications to HTTP-carried attacks as a result of:

  • Analysts and architects viewing security as a network or IT issue, so that only a few organization security experts are aware of application-level threats.

  • Teams expressing application security requirements as vague expectations or negative statements (e.g. You will not allow unprotected entry points) that make test construction difficult.

  • Testing application security late in the lifecycle - and only for hacking attempts.

No comments: