impossible for ideas to compete in the marketplace if no forum for
Understanding Web Application Security Challenges.
As businesses grow increasingly dependent upon Web applications, these complex entities grow more difficult to secure. Most companies equip their Web sites with firewalls, Secure Sockets Layer (SSL), and network and host security, but the majority of attacks are on applications themselves - and these technologies cannot prevent them.
This paper explains what you can do to help protect your organization, and it discusses an approach for improving your organization's Web application security.
What makes Web applications vulnerable?
In the Open System Interconnection (OSI) reference model,1 every message travels through seven network protocol layers. The application layer at the top includes HTTP and other protocols that transport messages with content, including HTML, XML, Simple Object Access Protocol (SOAP) and Web services.
This paper focuses on application attacks carried by HTTP — an approach that traditional firewalls do not effectively combat. Many hackers know how to make HTTP requests look benign at the network level, but the data within them is potentially harmful. HTTP carried attacks can allow unrestricted access to databases, execute arbitrary system commands and even alter Web site content.
Without governance measures to manage security testing throughout the application delivery lifecycle, software teams can expose applications to HTTP-carried attacks as a result of:
Typical Web application attacks.
A Web application's specific vulnerabilities should dictate the technology you use to defend it. Figure 1 shows many points within a system that might require protection. Often, it is best to employ generic countermeasure concepts first to help ensure that you choose the technology best suited to your needs rather than one that claims to counter the latest hacking technique.
Enterprises can employ multiple preventive measures against Web application breaches caused by impersonation, tampering and repudiation. Table 1 shows common threats and preventive measures. However, specific threats to your application may be different.
Preventive measures can also be taken to ward off attacks that attempt to access sensitive information and overwhelm server resources.
By applying several basic practices, software development teams can help prevent common Web application security violations and reduce remediation costs.
Basic guidelines for providing security for Web applications
By using security-specific processes to create applications, software development teams can guard against security violations like those shown in table 1. Specifically, you can apply several basic guidelines to existing applications and new or reengineered applications throughout your process to help achieve greater security and lower remediation costs, such as:
The Rational Unified Process delivers a comprehensive, iterative framework for developing Web applications based on industry best practices.
Understanding the Web application lifecycle
Shown in figure 2, the IBM Rational® Unified Process®, or IBM RUP*, solution delivers a widely used iterative process framework for developing Web applications based on industry best practices. The core phases of the framework (which may require two or more iterations to complete) are:
Each of the four phases of the Rational Unified Process — inception, elaboration, construction and transition — spans multiple disciplines and may require multiple iterations.Fixing a design error after a Web application has been deployed costs approximately 30 times more than addressing it during design. To help prevent expensive fixes, enterprises can build application security testing approaches into their development and delivery process.
To help prevent expensive fixes, organizations need to build application security testing approaches, such as those shown in figure 3, into their development and process alongside other quality management measures.
Black-box and white-box testing approaches can leverage commercial tools, while gray-box testing calls for a uniquely defined application framework.
With help from a third-party consultant, enterprises can employ training, communication and monitoring activities to improve security awareness.
Four strategic best practices for protecting Web applications
To address security-related issues as they pertain to Web applications, organizations can employ four broad, strategic best practices.
1. Increase security awareness
This encompasses training, communication and monitoring activities, preferably in cooperation with a consultant.
2. Categorize application risk and liability
Every organization has limited resources and must manage priorities. To help set security priorities, you can:
To help govern development and delivery processes and to manage compliance, enterprises must establish a security program and set a zero-tolerance enforcement policy.
By integrating security testing throughout the software delivery lifecycle, enterprises can improve application design, development and testing.
3. Set a zero-tolerance enforcement policy
An essential part of governing the development and delivery process, a well-defined security policy can reduce your risk of deploying vulnerable or noncompliant applications. During inception, determine which tests the application must pass before deployment, and inform all team members. Formally review requirements and design specifications for security issues during inception and elaboration — before coding begins. Allow security exceptions only during design and only with appropriate executive-level approval.
4. Integrate security testing throughout the development and delivery process
By integrating security testing throughout the delivery lifecycle, you can have significant positive effects on the design, development and testing of applications. You should base functional requirements on security tests your application must pass, making sure that your test framework:
Uses automated tools and can run at any point during the development and delivery process.
During the inception phase, enterprises can structure requirements that address multiple application-level security concerns. Table 4 suggests ways to structure requirements that address a spectrum of application-level security concerns during the inception phase.
Coding and data validation measures can offer significant benefits during the elaboration and construction phases of the software development and delivery process.
Table 5 details activities during elaboration and construction that align with defined security requirements.
By improving authentication, authorization and configuration management practices, enterprises can address security issues during the elaboration and construction phases.
Session protection, exception management, and auditing and logging can also provide opportunities for improving the security of Web applications.
Through event-driven testing, enterprises can integrate security tests right into the application being developed.
In addition to making security an integral part of the application development and delivery process, you can integrate security tests right into the application you are building to conduct event-driven testing. In this case, where a user makes a request and the application responds, the test compares the response to an expected or previously stored response to determine whether the system is operating properly. For example, in figure 3, an application uses a database as its back-end component. The tester inserts a spy proxy and a verifier into the request flow, telling the verifier what a normal request should be so that the verifier can compare it with the spy proxy's actual request.
Any service, e-mail, XML or legacy service can serve as a back end. How you implement the code to review requests depends on the application architecture. For example, your spy component might be a mock data access object, a proxy or a class that inherits from the front-end service. You can also create code specifically for a test that you insert into the data stream to supply reporting data needed by the testing framework. Coordinating the testing objects gives you comprehensive, fine-grained control of a range of tests. You can perform these tests using either black-box or white-box testing, improving your chances of catching security problems early in the lifecycle — before they pose a serious business risk.
For more information
To learn more about the IBM Rational methodology and how you can create security-rich Web applications using IBM Rational automated lifecycle security took, please contact your IBM representative or visit:
© Copyright IBM Corporation 2008
IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A.
Produced in the United States of America
All Rights Reserved.
IBM, the IBM logo, Rational, Rational Unified
Process and RUP are registered trademarks of
International Business Machines Corporation in
the United States, other countries, or both.
The information contained in this documentation is
provided for informational purposes only. While efforts were made to
verify the completeness
accuracy of the information contained in this
documentation, it is provided "as is" without
warranty of any kind, express or implied. In addition, this
information is based on IBM's current product plans and strategy,
which are subject to change by IBM without notice. IBM shall not be
responsible for any damages arising out of the use of, or otherwise
related to, this documentation or any other documentation. Nothing
contained in this documentation
intended to, nor shall have the effect of, creating any warranties
or representations from IBM (or its
suppliers or licensors), or altering the terms and
conditions of the applicable license agreement governing the use of
customers are responsible for ensuring their own compliance with
legal requirements. It is the
customer's sole responsibility to obtain advice of
competent legal counsel as to the identification and interpretation
of any relevant laws and regulatory requirements that may affect
business and any actions the customer may need
to take to comply with such laws.
This publication contains other company Internet addresses. (IBM is not responsible for information found on these Web sites.)
1 International Organization for Standardization; http://www.iso.org
Search the ENTIRE Business
Forum site. Search includes the Business