Improving Web Application Security: Threats and - CGISecurity

lImproving Web Application Security: Threats and CountermeasuresThe problem with the firewall, or fortress model, is that attacks can pass throughnetwork defenses directly to the application. A typical firewall helps to restrict trafficto HTTP, but the HTTP traffic can contain commands that exploit applicationvulnerabilities. Relying entirely on locking down your hosts is another unsuccessfulapproach. While several threats can be effectively countered at the host level,application attacks represent a serious and increasing security issue.Another area where security problems occur is deployment. A familiar scenariois when an application fails when it is deployed in a locked-down productionenvironment, which forces the administrator to loosen security settings. This oftenleads to new security vulnerabilities. In addition, a lack of security policy orapplication requirements that are inconsistent with policy can compromise security.One of the goals of this guide is to help bridge this gap between development andoperations.Random security is not enough. To make your application hack-resilient, you needa holistic and systematic approach to securing your network, host, and application.The responsibility spans phases and roles across the product life cycle. Security is nota destination; it is a journey. This guide will help you on your way.What Is a Hack-Resilient Application?This guide helps you build hack-resilient applications. A hack-resilient application isone that reduces the likelihood of a successful attack and mitigates the extent ofdamage if an attack occurs. A hack-resilient application resides on a secure host(server) in a secure network and is developed using secure design and developmentguidelines.In 2002, eWeek sponsored its fourth Open Hack challenge, which proved thathack-resilient applications can be built using .NET technologies on servers runningthe Microsoft ® Windows ® 2000 operating system. The Open Hack team built anASP.NET Web application using Microsoft Windows 2000 Advanced Server,Internet Information Services (IIS) 5.0, Microsoft SQL Server 2000, and the.NET Framework. It successfully withstood more than 82,500 attempted attacksand emerged from the competition unscathed.This guide shares the methodology and experience used to secure Web applicationsincluding the Open Hack application. In addition, the guide includes provenpractices that are used to secure networks and Web servers around the world.These methodologies and best practices are condensed and offered here as practicalguidance.