A rapidly changing face of internet threat landscape has posed remarkable challenges for security professionals to thwart their IT infrastructure by applying advanced defensive techniques, policies, and procedures. Today, nearly 80% of total applications are web-based and externally accessible depending on the organization policies. In many cases, number of security issues discovered not only depends on the system configuration but also the application space. Rationalizing security functions into the application is a common practice but assessing their level of resiliency requires structured and systematic approach to test the application against all possible threats before and after deployment. The application security assessment process and tools presented here are mainly focused and mapped with industry standards and compliance including PCI-DSS, ISO27001, GLBA, FISMA, SOX, and HIPAA, in order to assist the regulatory requirements. Additionally, to retain a defensive architecture, web application firewalls have been discussed and a map between well-established application security standards (WASC, SANS, OWASP) is prepared to represent a broad view of threat classification.
TopIntroduction
For the past two decades web technology has dramatically changed the way user interact and transact the information over the internet. From a simple corporate web site to the complex applications with rich functionality have been making their way to the internet for wider communication. Each application has been developed differently to perform certain tasks with different stacks of technology (Andreu, 2006). This exposes the applications and their deployment architectures radically in different ways. In the business world, vulnerabilities to web applications originate from multiple sources, for instance, the pressure on developers to reach the applicable deadlines, limited knowledge of security, no detailed security specification, inherited vulnerabilities of insecure components, and the unsuitability with underlying operating system or network. This logical security convergence between application server technologies has laid the foundation of critical threats and vulnerabilities. Generally, web applications may contain several components such as, login, session tracking, user permissions enforcement, role distribution, data access, application logic and logout function (Cross et al., 2007). In turn it divides the web application architecture into three basic tiers, namely, web server, application layer and data storage. Each tier’s input or output represents its analytical processing structure and the possible dimension to various attacks. These attacks include, but are not limited to, SQL injection, cross-site scripting, buffer overflow, session hijacking, insufficient access control, path traversal, misconfiguration, information leakage and denial of service. In order to prevent such attacks and weaknesses surrounding the application, a customized testing process has been proposed in this chapter to discover, assess and verify the known vulnerabilities using free and open source tools. The process is typically driven by mixed knowledge of two open methodologies, OSSTMM and ISSAF. Furthermore, the selected tools will also satisfy the specific level of industry standards and compliance. This will not only ensure to meet the necessary compliance mandates at each stage of testing but also provide a legal view to the technical objectives. The concept of web application firewall (WAF) technology using two well-know tools, Modsecurity and WebKnight, has also been addressed to provide an adequate protection for web application infrastructure in the enterprise environment. Moreover, to visualize the number of application threats cloak around web architecture, three core application security standards have been mapped together to depict a generic view for better understanding and evaluation.