SANS 20 Critical IT Controls #7: Application Software Security

While strengthening your network and perimeter security does keep potential attackers away, you do want people to access your web sites and web application, of course. Unfortunately, while most users access your applications and web sites for legitimate purposes, you can’t control the user input. By manipulating their input to the web sites and web applications, attackers can exploit web site vulnerabilities and infect the browsers that access these websites. Well known web application attack patterns such as buffer overflows and SQL injection belong to this category of web application attacks.

To protect your company against these types of attacks, you must thoroughly test all in house applications that you host on the internet. A good strategy would be to deploy a web application firewall that checks all incoming web traffic for well known web application attack patterns. Thoroughly check all web applications using automatic web application scanners before you make the applications available to users on the internet.

Often, development teams focus on the functionality of applications, with the security of the application itself being relegated to an insignificant status. You must build in security into your applications by imposing secure coding practices from the application designing stage. Since one can access the database through the web applications, you must also review the configuration and security settings of the database and the operating system it sits on.

You can use source code testing tools along with automated application scanning tools to test the security of your web applications. You may also hire third-party penetration testers with experience in programming and application penetration testing. It’s a good practice to scan all internet accessible web applications on a weekly or even a daily basis. For starters, you can scan for the OWASP Top Ten web application vulnerabilities such as cross-site scripting and SQL injection.

Leave a Reply

Your email address will not be published. Required fields are marked *

*