I have been doing a lot of research and reading lately about web application security. There are several great resources, products, and services out there that will enable you as a developer to be aware of the common attacks along with best practices to defend yourself from SQL, SSI, XPath, and LDAP injections, XSS (cross-site scripting) attacks, overflows, and format string vulnerabilities, session and cookie hijacking, carraige return line feed (CRLF) attacks, HTTP Response Splitting attacks, command execution, content spoofing, denial of service, and many more.
According to Jeremiah Grossman, WhiteHat security founder and CTO, somewhere between 70% and 90% of web applications have serious vulnerabilities.
So what can you do as a web developer about all these vulnerabilities?
First, learn and understand the common threats and how they can be avoided.
Second, ensure that you apply any patches and fixes for any software that you run on your web site; especially open-source software. All too often sites are hacked and defaced because of the lack of keeping up on patched and fixes that defend your site from these attacks and vulnerabilities. Here are some great resources that will help you learn more the various web application vulnerabilities and common attacking methods:
- Pete Freetag’s CF security presentation from CFUnited ‘07
- Robert “RSnake” Hansen - ha.ckers.org
- Planet Web Security - planet-websecurity.org
- Jeremia Grossman’s blog - jeremiahgrossman.blogspot.com
- Matasano - www.matasano.com/log
- Web Application Security Consortium - www.webappsec.org
- Open Web Application Security Project - www.owasp.org
- Web Security Mailing List - www.webappsec.org/lists
- Robert Auger’s article entitled "A business case for security frameworks"
- WASC’s threat classification document - http://www.webappsec.org/projects/threat/
- O’Reilly’s Apache Security book by Ivan Ristic
Ivan has a bunch of presentation that you can download from talks that he is given that contain a lot of useful information:
- Web Application Firewalls: When are they useful?
- Web Intrusion Detection with ModSecurity.pdf
- Apache Security Training.pdf
- Apache Web Platform Security.pdf
- Challenges of Web Intrusion Detection.pdf
- ModSecurity Elevator Pitch.pdf
- Threat Modelling.pdf
Third, look into investing in a product or service that will help you to discover potential vulnerabilities in your web site and web applications along with tools to detect and prevent attacks. Here are a couple of services and tools you might want to consider:
- WhiteHat’s sentinal service
- Breach’s WebDefend Web application firewalls (Hardware)
- Java Validation Library (JValid)
- ModSecurity for the Apache web server
- Pete Freitag’s soon (we hope =) to be released Web Application Firewall for ColdFusion
There is definitely a lot of great information and resources available to developers and it is the responsibility of a web developer to at least understand the basics behind these security vulnerabilities so we can do our best to prevent successful attacks against our code.
Have a great resource or product that your company or organization uses? If so, please share! Anyone had success implementing an existing security framework using ColdFusion?
No Comments, Comment or Ping
Reply to “Web application security”