Upload
randy-marmer
View
219
Download
0
Embed Size (px)
Citation preview
7/29/2019 Strategies for Improving Web Application Security
1/13
Report ID: S6950513
reports
Strategies for Improving WebApplication SecurityWeb applications are fraught with risk, but for most companies, not having
them is not an option. Theyre just too important to customers and to the
business. In this Dark Reading report, we recommend some best practices
for balancing the needs of the business with security requirements. It
doesnt take special certification or a million dollars, but it does take
planning, time, and a smart combination of tools and best practices.
By Randy George
R e p o r t s . I n f o r m a t i o n W e e k . c o m M
Presented in conjunction with
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://www.darkingreading.com/http://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
2/13
Previous Next
reports
reports.informationweek.comCONTENTS
TABLE OF
3 Authors Bio
4 Executive Summary
5 Strategies for Improving Web Application
Security
5 Security Strategies
5 Figure 1: Biggest IT Security Challenges
6 Figure 2: Security Breaches Over Past Year
7 Network: Stash Servers in DMZ
7 Network: Double-Check Firewall Rules
7 Tools: Protection Out Front8 Applications: Harden Your Web Servers
8 Figure 3: Effectiveness of Security Practices
9 Tools: Make Frequent Use of Vulnerability
Scanners
9 Applications: Beware of Application Defaults
and Security Context
10 Process: Get Involved With Design Meetings
11 Process: The Security Team and the QA Team
Should Be a Close-Knit Group
13 Related Reports
S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i
ABOUT US
InformationWeek Reportsanalysts arm business
decision-makers with real-world perspective based
and quantitative research, business and technolog
planning tools, and adoption best practices gleane
experience.
OUR STAFF
Lorna Garey, content director; [email protected] Vallis, managing editor, research; heather
Elizabeth Chodak, copy chief; elizabeth.chodak@
Tara DeFilippo, associate art director;tara.defilipp
Find all of our reports at reports.informationweek.
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexmailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://reports.informationweek.com/indexhttp://reports.informationweek.com/indexmailto:[email protected]:[email protected]:[email protected]:[email protected]://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
3/13
Previous Next
2013 InformationWeek, Reproduction Prohibited
reports
reports.informationweek.com
S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i
Randy George has covered a wide range of network infrastructure and information
security topics in his four years as a regular InformationWeekand Network Comput-
ing contributor. He has 13 years of experience in enterprise IT and has spent the last
eight years working as a senior-level systems analyst and network engineer in the
professional sports industry. Randy holds various professional certifications from
Microsoft, Cisco and Check Point; a BS in computer engineering from Wentworth
Institute of Technology; and an MBA from the University of Massachusetts Isenberg
School of Management.
Randy George
InformationWeek Reports
Table of Contents
FollowFollowFollowFollow
Want More?
Never Miss
a Report!
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.facebook.com/pages/InformationWeek-Reports/149825495070501http://www.facebook.com/pages/InformationWeek-Reports/149825495070501https://twitter.com/#!/IW_Reportshttps://twitter.com/#!/IW_Reportshttps://twitter.com/#!/IW_Reportshttp://www.facebook.com/pages/InformationWeek-Reports/149825495070501http://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
4/13
Previous Next
Web applications are the most frequent targets for online hackers partly because
they are your enterprises most visible points of entry and partly because they are notori-
ously fraught with vulnerabilities. At the same time, most enterprises must maintain a
Web presence in order to do business, so theres little choice about facing the risk. With
that in mind, we recommend best practices to focus on as your Web applications move
from development to production.
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i
EXECUTIVE
SUMM
ARY
Table of Contents
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
5/13
Because Web apps are so crucial to both the
internal and external operations of many
businesses today, their availability and secu-
rity are not only expected by customers but
demanded. To that end, its not uncommon
for an organization to spare no expense
when it comes to Web applications. The
importance of Web applications to a busi-
ness also puts tremendous pressure on secu-
rity pros because theres nothing more em-
barrassing than having a critical website or
Web application defaced, hacked or other-wise compromised. Unfortunately, in the race
to build applications that are fast and that
work, many businesses pressure developers
to put those concerns over the applications
security.
In this Dark Reading report, we make recom-
mendations for striking a balance among per-
formance, availability and security.
Security Strategies
Being proactive about Web application
security should be a top IT priority: When a
Web application is taken out, money is lost.
And for big-name businesses at least, its not
the financial loss that hurts the most; its the
loss to reputation. Protra
important Web application
customers and the CEO al
Previous Next
Which of the following are the biggest information or network security challenges facing your c
Biggest IT Security Challenges
Note: Three responses allowed
Base: 1,029 respondents in March 2013 and 946 in March 2012
Data: InformationWeek Strategic Security Survey of business technology and security professionals at organizations
2013 2012
E
nforcingsecuritypolicies
M
anagingthecomplexityofsecurity
C
ontrollinguseraccesstosystemsanddata
A
ssessingrisk
G
ettingmanagementbuy-in/adequatefunding
M
eetingregulatoryandindustrycompliancerequi
rements
S
preadinguserawareness
P
reventingdatabreachesfromo
utsideattackers
P
reventingdatatheftbyemployeesorotherinside
rs42%
39% 38%
52%
33%
22%
29%
25% 2
7%
22%
23%
21% 2
3%
24%
22%
11%
34%
2 0 %
reports.informationweek.com
Strategies for Improving Web Application Security
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
Figure 1
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
6/13
fair, it doesnt matter whether an attack was
preventable IT will get the blame.
When CIOs and CFOs hear the word secu-
rity, they generally prepare themselves for
sticker shock. However, you dont
need to spend a ton of money to
harden your Web applications.
Winning the battle requires a
combination of security-related
best practices and tools.
You dont need a CISSP to make
your Web applications a more
difficult target, and you dontneed to spend a million dollars ei-
ther. But doing a good job at hard-
ening your Web apps does take
time, effort and some diplomacy
your concerns about security
may not be a priority in the eyes
of a project manager who needs
to get a product out the door
now. When it comes to making
your Web apps a difficult target,
you need to employ a combina-
tion of process, tools, optimiza-
tions and best practices. Generally speaking,
these strategies are network, application- or
process-related in nature.
Starting at the network layer, heres a short
list of best practices to ke
your Web applications m
ment, through quality a
production.
Previous Next
Which types of security breaches or espionage have occurred in your organization in the past year?
Security Breaches Over Past Year
Note: Multiple responses allowed
Base: 217 respondents in March 2013 and 183 in March 2012 experiencing a security breach within the past year
Data: InformationWeek Strategic Security Survey of business technology and security professionals at organizations with 100 or more e
2013 2012
Malware(i
.e.,
viruses,worms,botnets)
Phishing
Web/softwareapplicationsexploited
Theftofcomputersorstoragedevices
Operatingsystem
vulnerabilitiesattacked
Denialofservice
Database/content/datamanagementsystem
com
promise
Websitevandalizedorsitecontentmanipulated
Physicalbreak-i
n
Traffickinginillicitmaterials/illegaldata
Mobileapplicationsintrusion
69%
68%
5
3%
51
%
30%
27%
23%
28%
22%
21%
21%
18%
16%
21%
11%
7%
6%
9%
9%
9%
6% 8
%
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
Figure 2
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
7/13
Previous Next
Network: Stash Servers in DMZ
If youre a security pro, we apologize for stat-
ing the obvious with this best practice. How-
ever, not everyone is a security pro, and even
the best security pros get lazy sometimes.
Placing your Web servers in a DMZ wont
technically make your Web applications or
website more secure, but the practice will cer-
tainly help protect the rest of your infrastruc-
ture from attack if a Web server is successfully
compromised.
If you host your own website or Web appli-
cation, then your perimeter defenses are get-ting scanned all day long for vulnerabilities.
You cant stop an attacker from probing your
perimeter for open services, but you can cer-
tainly make it harder for an attacker to inflict
further damage should he or she successfully
compromise one of your Web ser vers. The
whole point of placing externally facing Web
servers in a DMZ is to box in an attacker and
limit the damage that can be done should a
server be compromised. For instance, if you
NAT incoming connections directly to Web
servers on your internal network, then a
hacker who successfully exploits an un-
patched vulnerability or uses SQL injection for
privilege escalation will pretty much have un-
fettered access to your internal network.
Network: Double-Check Firewall Rules
One of the quickest and easiest ways to
reduce the attack surface of your Web apps is
to make sure youre dropping all nonessential
ports inbound to your Web server farm. If
youre exposing a Web application, theres no
reason to allow RDP to your Web server; theres
no reason for allowing ICMP. Exposing addi-tional TCP/UDP services to a Web server may
be required for testing or troubleshooting, but,
beyond that, theres no reason to allow any in-
coming connection to your Web server other
than TCP 80 and/or 443. As a best practice, in-
spect your firewall rule base periodically for ir-
regularities, especially if you have several peo-
ple managing your corporate firewalls.
Tools: Protection Out Front
Web application firewalls arent typically
necessary if youre trying to protect an inter-
nal Web application, but
tions that have externally
and a lot of money to lose
WAF is highly recommend
Sure, a properly and ca
app wouldnt likely require
tion. But we know that W
sometimes be their own
not validating user-sup
theres nothing Web deve
a coding perspective to p
cation from a sustained d
tack. Further, while its easers for lazy code that exp
injection, sysadmins can b
not properly hardening an
server. When it comes r
doesnt matter whether a
troduced as a result of
point is that a Web app
adept at protecting an a
manner of attacks and ex
end of the day, preventin
of vulnerability is what ma
izations will need to decid
Tools and Strategies forFile-Level Data Protection
There is nothing in the enterprise
that warrants protection morethan data, but security pros all
too often focus more on perime-
ter security. This may be becauseit can be more challenging to
secure data, but once data is
locked down, any compromisesto the networks and servers that
transport and house it almost
dont matter. In this Dark Reading
report, we recommend severalways that security pros can effec-
tively ensure that data is kept
from prying eyes.
DownloadDownload
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
http://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
8/13
of not having a WAF (bu
and maintenance issues)
reward (apps that wont b
Applications: Harden Yo
A Web app built on a
exposes your organizatio
risk. Despite conventiona
your Web server on Linux i
doesnt necessarily make
And lighting up an Apach
ning on some flavor of L
you inherently more securunning Internet Informatio
dows. A poorly configure
ment is every bit as vuln
configured IIS deploymen
applies to the underlying O
Indeed, if you only hard
itself, and not the underly
not addressing the full ra
ties that may be used to a
plication. As important
nonessential protocols a
every bit as important t
Previous Next
1%
62%
5%
32%
1%
60%
7%
32%
1%
53%
8%
38%
1%
47%
8%
44%
1%
46%
10%
43%
1%
44%
13%
42%
2%
43%
11%
44%
2%
42%
11%
45%
2%
41%
10%
47%
1%
41%
12%
46%
2%
40%
12%
46%
2%
39%
11%
48%
1%
38%
14%
47%
1%
36%
14%
49%
2%
34%
13%
51%
3%
32%
17%
48%
4%
32%
17%
47%
3%
29%
20%
48%
3%
25%
26%
46%
Firewalls
Dataencryption
VPN
Gatewayantivirus/anti-malware
Endpointprotection(antivirus,anti-spyware)
Strongpasswords
Intrusionprevention/intrusiondetection
Vulnerabilityassessment/penetrationtesting
Webapplicationfirewalls
Emailsecurity/spamf
iltering
Identitymanagement
Wirelesssecurity
Patchmanagement
Datalossprevention
NAC
Securedevelopmentprocesses/sourcecodeauditing
Loganalysis/securityeventmanagement/secu
rityinformationmanagement
Portable-devicesecurity
Enduserawarenessprograms
Please rate the effectiveness of each of these security technologies or practices in protecting your organization frominternal or external security threats.
N ot e ffe cti ve at a ll M ar gi na ll y ef fe ct iv e S om ew ha t ef fe ct iv e Ve ry e ffe cti ve
Base: Respondents using each security technology or practice (varies)
Data: InformationWeek2013 Strategic Security Survey of 1,029 business technology and security professionals
at organizations with 100 or more employees, March 2013
R6820513/16
Effectiveness of Security Practices
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
Figure 3
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
9/13
services that are not essential to the opera-
tion of your Web application.
For example, an out-of-the-box deployment
of Windows Server 2008 contains 50 running
services, while an out-of-the-box deployment
of Windows Server Core contains only 36 ser -
vices. While IIS will add a handful of services
to that list, by making just one small optimiza-
tion in the method used to deploy your Web
server, you are reducing the overall attack sur-
face of your Web app significantly. The same
optimizations can, of course, be made in the
Linux world (with a little more effort) in termsof the number of running processes that can
be disabled in an effort to harden the under-
lying OS that powers your Web apps. Taking
just a little time to remove unneeded services
from your server farm is one of the easiest and
quickest steps you can take to improve your
overall Web app security posture.
Tools: Make Frequent Use of Vulnerability
Scanners
No matter how strict your change control
procedures are, new vulnerabilities will come
into existence during the natural course of
business that are both in and out of your
control. Those vulnerabilities may be the re-
sult of firewall changes, they may be the re-
sult of an update to the Web application or
underlying OS, they may be the result of a
newly discovered zero-day threat, or they
may be the result of a misconfiguration by a
sysadmin.
The cause of a newly discovered vulnerabil-
ity is irrelevant because the most important
thing is that the security issue is discovered
and addressed. Unfortunately, you cant relyon a single security pro, or even a team of se-
curity pros, to discover every vulnerability that
exists in your Web application environment.
When a Web app is in production, the job of
discovering new vulnerabilities is best left to
automated tools that can proactively discover
and alert on potential security problems as
they occur.
Theres no substitute for a good vulnerabil-
ity scanner, and theres no excuse not to use
it because such scanners are cheap and easy
to deploy.
Applications: Beware of A
Defaults and Security Co
There are lots of things
network and OS perspecti
server at risk. But one of th
can do as a sysadmin is to
like IIS and simply leave it
is a monstrous task on its
need to be an IIS guru to m
plication a much more d
simply need to understand
cation server defaults co
risk, along with how to addHackers know IIS intima
that a default IIS site will
wwwroot (so dont put it th
plications run in applicat
used to isolate the apps
However, savvy hackers ha
default app pool runs u
Service account. The Netw
has more rights than you
application pool, so disabli
creating a new app pool se
count is another commo
Previous Next
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
Like This Report?
Rate It!Something we could do
better? Let us know.
RateRate
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
10/13
best practice. Hackers also know that, by de-
fault, an app pool runs under the iUSR_Host-
Name account. Hackers know that if they can
discover the host name of your Web server,
they can potentially lock out the iUser ac-
count and take down your Web server by
sending bogus authentication requests.
There are dozens if not hundreds of other
things that administrators could and should
do to effectively secure
IIS server (and Apache/
Tomcat), but suffice to
say that leaving certainWeb server defaults in
place is a major security
problem that can be relatively easily avoided.
Process: Get Involved With Design
Meetings
Technology cant solve every problem in the
security world, so diplomacy is needed.
Some developers will freely admit that se-
curity isnt a top priority when building an ap-
plication. Thats not to say that developers
dont care about security, but tight timelines
and resources may prevent them from mak-
ing security a focus. In other instances, a de-
veloper may lack the knowledge needed to
code an application securely.
For example, security pros know that SQL in-
jection is a risk when developers use dynamic
queries in Web applications without scrub-
bing user-supplied input. By asking a few
questions in a design meeting, you might dis-
cover that all of the developers in a room have
a preference for using dynamic queries be-
cause of their speed of execution. But by us-
ing stored procedures or parameterizedqueries, developers can prevent an attacker
from skewing the results of a query. If youre
not in the room to make the suggestion, then
youre in no position to influence critical de-
sign decisions that could make a tremendous
impact on the security of the final product.
Another issue that security pros should ad-
dress during the design phase is the method
of data validation that will be added to the
Web app. Failing to properly validate data
opens up a Web app to SQL injection and
cross-site scripting attacks that are completely
preventable. The user of
not be allowed to enter the
script in a field thats de
someones first name. Sim
not be allowed to input S
signed to capture a phone
Most developers know
when it comes to data va
trust user-supplied input.
isnt the only issue securit
during design meetings
should also b e addresse
most instances, a user shouter data into a field thats e
HTML tag. In a Web form t
capture some basic cust
can you think of a good re
tags when writing the va
database?
You have to use judgmen
ing about a Web app like
some fields require the u
build a more stylish listing
process HTML in some in
business requirements. Bu
Previous Next
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
Some developers will freely admit
that security isnt a top priority
when building an application.
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
11/13
forces a security policy that prohibits poten-
tially destructive HTML from being used. So a
Web application like Craigslist is a perfect ex-
ample of where a security pro, or a security-
minded developer, can make a tremendous
impact on the final product during the design
phase. Its little security details like which
HTML tags youll parse or the way youll per-
form data validation that can slip through the
cracks when deadlines are tight.
Process: The Security Team and the QA
Team Should Be a Close-Knit GroupIn some instances, it may not be possible,
practical or acceptable to have a security pro
in the room during the development of a new
Web application. But for well-managed devel-
opment projects, you can be sure that a qual-
ity-assurance person is in the room.
In an ideal world, the security and QA teams
should be tightly integrated when it comes to
the testing of new Web applications making
their way through the product development
pipeline. The reason for this is simple: QA pro-
fessionals usually have little or no background
at all in application security concepts. So
when combined with a dev team thats not
coding using security-related best practices,
the possible outcome could be an application
thats significantly flawed and vulnerable to
attack.
The best and only chance to change that
outcome is to get the security team, or at least
one security pro, in the room with the QA
team as beta builds of a new Web app are re-
leased. If you work in a small to midsize busi-
ness thats relatively flat from an IT perspec-
tive, its possible that your staff developer isalso your QA guy. Or perhaps the develop-
ment of your app is being outsourced.
Either way, the knowledge that a security
pro can bring about how a particular SQL in-
jection attack, XSS attack or LFI /RFI attack is
done can add tremendous value to the devel-
opment process.
At the end of the day, everyones goal is to
deploy a Web application that is stable and
secure. So from a security perspective, its im-
portant for security pros to begin thinking
and acting like QA pros. This may mean vol-
unteering your QA service
tion to the build release ca
existing product updates
ployed (because new ve
testing). While your presen
may sometimes be unwel
fully be thanked later for
more stable and secure We
in the process, if you can e
developers about how hac
Web applications, then y
helping to ensure that fut
security features that maka tougher target.
On the whole, Web app
all that difficult a goal to ac
like other security project
largely in the hands of the s
ing sound Web app securit
orative effort with multiple
Web app security is mu
cess-driven effort than it i
ven effort, and it always w
secure a Web app with a f
virus scanner and just w
Previous Next
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
LikeLike TweetTweet
ShareShare
Like This Report?
Share it!
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.facebook.com/sharer/sharer.php?u=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.facebook.com/sharer/sharer.php?u=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://twitter.com/home/?status=%20Strategies+for+Improving+Web+Application+Security+http://ubm.io/10GTU5v%20@InformationWeekhttp://twitter.com/home/?status=%20Strategies+for+Improving+Web+Application+Security+http://ubm.io/10GTU5v%20@InformationWeekhttp://www.linkedin.com/shareArticle?title=Strategies+for+Improving+Web+Application+Security&mini=true&url=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.linkedin.com/shareArticle?title=Strategies+for+Improving+Web+Application+Security&mini=true&url=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.linkedin.com/shareArticle?title=Strategies+for+Improving+Web+Application+Security&mini=true&url=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://twitter.com/home/?status=%20Strategies+for+Improving+Web+Application+Security+http://ubm.io/10GTU5v%20@InformationWeekhttp://www.facebook.com/sharer/sharer.php?u=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/7/29/2019 Strategies for Improving Web Application Security
12/13
piece of software that goes through the soft-
ware development life cycle, the process of
securing a Web app should be done in a pre-dictable and structured way. The time and ef-
fort involved with securing a Web app may be
onerous in some instances, but it pales in
comparison to the cost of not doing it.
Previous Next
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index7/29/2019 Strategies for Improving Web Application Security
13/13
SubscribeSubscribe
Newsletter
Want to stay current on all newInformationWeek Reports?
Subscribe to our weekly
newsletter and never miss
a beat.
Previous
reports.informationweek.com
reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i
M
ORE
LIKE THIS
Want More Like This?InformationWeekcreates more than 150 reports like this each year, and theyre all free to registered
help you sort through vendor claims, justify IT projects and implement new systems by providing anaadvice from IT professionals. Right now on our site youll find:
Insecurity With Java: In the wake of a zero-day vulnerability being exploited by multiple active attac
teams wait for Oracle to respond. Again. Heres how to keep your systems safe, but meanwhile, start c
Does Javas popularity as an attack vector vs. its diminishing functionality make permanently disablin
a smart idea?
How Attackers Choose Which Vulnerabilities to Exploit: In the increasingly complex world of infor
security, its important for security professionals to be able to understand not only how their organiza
systems and data may be compromised but why. In this Dark Reading report we examine why certainvulnerabilities are exploited, by whom and with what. We also provide recommendations for getting
of hackers by using some of the same tools and strategies they do.
Assessing Risk and Prioritizing Vulnerability Remediation:Vulnerability remediation is a never-en
process, but, even so, security pros cant plug every hole in every asset and application. The key is to d
which vulnerabilities are most likely to be exploited and the effects such exploits would have on the b
To do this, security pros must know the business and its technology usage and needs intimately, a pro
must involve stakeholders across the organization. In this report, we recommend the steps that shoul
to determine the risk of vulnerabilities and the lengths to which remediation can and should go.
PLUS: Find signature reports, such as the InformationWeekSalary Survey, InformationWeek 500 and thState of Security report ; full issues; and much more.
Table of Contents
http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index