WEB and application security
Protection of web applications
The protection of web applications is a continuous process, which involves people and practice, and it can be said that it is a path, not a destination. Just as applications and the infrastructure they use are analyzed, so it is necessary to identify and analyze possible threats and classify them as a certain level of risk. This means that protection involves dealing with risk control and the application of countermeasures.
Vulnerability of web applications
Companies generally apply basic solutions for the protection of all services, namely firewalls and IPS. With basic security solutions, the company’s web application is not fully protected from attacks from the Internet, because firewalls and IPS solutions do not read queries at the application level, but check whether HTTP works according to RFC standards and apply generic protection policies.
Firewall and IPS are not enough
A firewall and IPS are not enough if there is no mechanism to verify user input. This means that, for example, for forms that allow users to log in, there must be a mechanism to check that the user enters a series of letters in the provided fields, and not special characters that could represent commands that a malicious user tries to, for example, communicate with database.
User data entry
With web applications, where there is always a login option in order for the user to register and authorize access to certain content, it is necessary to simply follow the user and this is most often performed by the so-called “cookies”.
An insufficiently good solution for the management of “cookies”, in terms of storage, encryption and checking the duration, where it is possible to use special tools, after a large number of attempts, to successfully guess a simple combination of login credentials, is a prerequisite for the success of attacks that gain privileged access application.
The examples of attacks just described lead to the conclusion that companies should adopt appropriate solutions for the protection of applications, because their reputation will depend, among other things, on whether users can trust them.