Web Application Security and Scanning

Hardening web applications against attackers

At a Glance:

Scanning your web applications for vulnerabilities is a security measure that is not optional in today’s threat landscape. But before you can effectively scan web applications, it’s essential to understand what a web application is and why it’s so important to have a web application security program at your organization.

You can think of web applications as open doors to your home or business. They include any software application where the user interface or activity occurs online. This can include email, a retail site, or an entertainment streaming service, among countless others. With web applications, a user must be able to interact with the host’s network to serve up the content they are after. If a web application is not hardened for security, it’s possible to manipulate the application to go back into the host database that it sits on to send you any data that you or an attacker requests, even if it is sensitive information.

Why Security Is Critical

Web applications need to freely allow traffic through a variety of ports and usually require authentication; this means they also require a complex web application vulnerability scanner. Since websites must allow traffic to come and in and out of the network, hackers often attack the most commonly used ports. This includes:

  • Port 80 (HTTP): For unsecured website traffic
  • Port 443 (HTTPS): For secured website traffic
  • Port 21 (FTP): The file transfer protocol for transferring files to and from your servers
  • Ports 25 (SMTP), for simple mail transfer protocol, and port 110 (POP3), the default unencrypted port: Email protocols often used by organizations to send and receive email.

Given the breadth of ports available, it’s no wonder that hackers have abundant opportunities to break into networks by exploiting the openness that websites must have in order to interact with their users.

This is only proven by the Verizon Data Breach Investigations Report, which as repeatedly shown that web application attacks remain the most common breach pattern and are a preferred vector for malicious attackers. By continuously monitoring and scanning your web applications, you can proactively identify vulnerabilities and remediate them before a breach occurs, staying one step ahead of attackers. Here are some of the most important things to keep in mind when evaluating application scanners for our organization.

Free Scanning Is False

The number of free web application vulnerability scanners abounds, and although free sounds good to just about everyone, keep in mind that free scanners will likely give you a high probability of both false positive and false negative alerts—a frustrating nightmare for an IT team that is already strapped for time and energy. The old adage applies here: you get what you pay for.

Having said that, many commercial full-functional scanners allow a free-trial version that you can try out before you buy. This offers you a big advantage in purchasing such critical security equipment for your organization. You can test out the scanners to ensure it’ll accomplish what you need it to.

The OWASP Top 10

You want your web scanner to accurately discover vulnerabilities, not just churn out information that is labor intensive for your IT team to wade through. How can you tell if a web application scanner is accurate? Make sure it can detect the Open Web Application Security Project, or OWASP Top 10 Vulnerabilities:

  1. Injection: Attackers send untrusted data to a SQL, OS, or LDAP interpreter using a command query, “tricking” the interpreter to execute commands or access critical data.
  2. Broken Authentication and Session Management: Hackers use authentication and session management processes to steal passwords, tokens, or keys that enable them to assume the hacked user’s identity and gain access to your network.
  3. Cross-Site Scripting: A way hackers hijack user sessions, redirect to malicious sites, or deface websites through flaws in XSS.  An application takes untrusted data and sends it to a web browser without a validation process, enabling the hacker to run unwanted scripts in the victim’s browser.
  4. Insecure Direct Object References: A software developer references an object (i.e. file, database key, directory) in the code. If the code doesn’t have access control or protection, hackers can use and manipulate these object references and thereby access critical data.
  5. Security Misconfiguration: Best practice requires security configuration within the application and its surrounding orbit and platform. So if there is a misconfiguration in the security layer, hackers can easily exploit this, gaining access to your network and critical data.
  6. Sensitive Data Exposure: It’s hard to believe, but many web applications still don’t properly protect sensitive data, such as credit cards, authentication credentials, or tax IDs. Hackers take advantage of these weaknesses to commit identity theft, credit card fraud, and other attacks.
  7. Missing Function Level Access Control: Best practice requires both the web application and its associated server to request function level access rights before allowing that functionality to be accessible to the user. If such requests are not verified, hackers can forge a request to gain access to the functionality without being properly authorized.
  8. Cross Site Request Forgery (CSRF): Hackers use a CSRF attack to force a victim’s browser to send a forged HTTP request and other authentication information to a vulnerable web application.
  9. Using Components with Known Vulnerabilities: Software module components usually run with full privileges, so if a vulnerable component (such as a library, framework, or other software module) is exploited, this can wreak havoc, with hackers easily gaining access to the entire system.
  10. Unvalidated Redirects and Forwards: While web applications can forward or redirect users to different pages and websites, if not properly validated, attackers can use forwards to access unauthorized pages or redirect their victims to malicious sites.

Reporting

You want to make sure your web application vulnerability scanner provides easy-to-read reports that output the information your scanner finds in a digestible way. Reports allow your IT team to easily and quickly identify weaknesses or holes in your web applications that could be a prime target for hackers. Reports also let you identify security threats as they happen, providing real-time resolution for any application vulnerabilities.

Remediation Plans

While having detailed reports is crucial to making use of the data that your scanner finds, it is not enough. Your scanner should also have the ability to convert vulnerability data into a specific, detailed remediation plan. A remediation plan can provide you with prioritized tasks and context, including what needs to be fixed, why, and by when. The best vulnerability scanners allow you to track and measure the data within the scanner software itself, or integrate the data within your IT ticketing solution.

Today’s threat landscape is constantly evolving. Given the number of web applications that people interact with daily, whether for business or personal use, it’s critical that these apps are protected. By scanning your applications regularly, you can identify and remediate vulnerabilities before a breach occurs to stay one step ahead of attackers.