The most common safety errors during application development
Knowledge 3 February 2017 Krzysztof Sadecki
Web applications can have countless vulnerabilities that could expose both the individual user as well as the entire organization to many risks. Cyber-criminals are well aware of these shortcomings and collect data on most of the pages available on the Internet. This trend is growing all the time. Attacks on websites are increasingly profiled, more sophisticated and more frequent.
Web application are usually critical elements of infrastructure of each company. Companies must rely on their web applications because they are used primarily to communicate with partners, shareholders and clients. Typically, web applications are the main place for storing corporate information, and are used to share links and to carry out a number of other activities. Most of these applications are really convenient, and their functionality is dependent on the functionality of a client’s web browser. However, web applications can have countless vulnerabilities that could expose both the individual user as well as the entire organization to many risks.
Cyber-criminals are well aware of these shortcomings and collect data on most of the pages available on the Internet. This trend is growing all the time. Attacks on websites are increasingly profiled, more sophisticated and more frequent.
According to Gartner Group research, 75 percent of cyberattacks and security breaches occur directly through web applications. Regardless of whether we develop applications in a company or at home, we must always reckon with the fact that hackers will test our applications in order to examine their infrastructure, architecture and identify potential vulnerabilities that can be exploited.
High-risk threats that could jeopardize internet applications
There are a number of very serious threats to each web application. Mainly entrepreneurs and entities processing personal data should be aware of the existence of so-called high-risk threats. Risks include many high-risk threats, most of which are intended to lead to a compromise of websites and organizations and humiliation in the eyes of customers. The following are the main threats.
Denial of Service (Dos)
DoS attacks on applications rely on flooding applications with huge amounts of requests which can slow down the website or fully suspend its functioning. Dispersed type attacks such as a denial of service attack (Distributed Denial of Service – DDoS) involve sending malicious traffic from a large number of servers. An attacker could also try to upload malicious files that can be downloaded by employees and processed in a corporate environment.
Cross-site scripting (XSS)
This is a common flaw which uses the weakness of web applications to directly attack users. The attack consists mainly of transmission of malicious data through the normal functionality of the web application. If the application does not exist, correct verification of data and a malicious code can be sent to a web browser. In many cases it is a properly written JavaScript code but attacks can also rely on sending HTML or Flash. Cross-site scripting could allow hackers to steal user credentials to hijack sessions and redirect users to malicious sites.
The template security policy
Design principles are essentially security strategy to protect web applications and the availability in each time period. These are generally the steps, which are aimed at ascertaining responsibility, the anticipated trends threats and determine methods of prevention and mitigation. It is necessary to define the methods and principles that will be used to ensure high application availability and minimizing weaknesses.
SQL Injection attacks
Basically, these are random attacks targeted at applications that result from poor protection of data stored in databases. The attacks rely heavily on injecting SQL code in order to gain control over the site, inject malware and distribute viruses. Normally, all of these scenarios are the result of poor manufacturing techniques of the software. Successful middle attacks are mostly attacks on the logic of the SQL query and can be used against a database. Most developers build dynamic database queries that allow intruders to work with data. The effects of this approach may include data corruption, compromising the accounts, and even complete takeover of the host.
Modification of parameters and data buffers
Most web applications use URL parameters to pass information between elements of the website. Hackers often use this process and rewrite all the parameters in their own way. They may also try to overwrite the data buffers. The most common victim of attack that overwrites the files buffers are cookies on websites, and an example of such an attack is one involving manipulation of HTTP headers. Intruders can thus replace users’ data with their own code.
Defining control mechanisms and access
This part is usually common to most web applications. It is to introduce sufficient control mechanisms of the authorization process for people trying to gain access to specific resources. In a secure environment, the authorization process should be based both on the user’s role and access control of the user to a particular resource. Organizations should ensure that users are in no way able to bypass the ACL, going directly to a file or page.
This can be done by designating default ACL and granting or denying access to specific users and roles. IT teams can therefore also use proven frameworks and libraries. Access and regulations of accesses should be stored separately, and in the case of issuing new permits, standardized procedures must be applied and custom actions should be avoided because then the authentication of individual channels may be really difficult.
Determining the scope of responsibilities
You can never assume that you will be able to predefine all obligations for access to files and data stored through Internet applications. Knowing one of the major costs of development and maintenance of web applications is to verify frameworks, encryption algorithms and libraries, but much less cost is devoted to the management of access control. So you have to be absolutely sure that you failed to clearly describe the responsibilities for each role and each user in every possible turn. For a different approach to the problem and granting default permission, you may find that it will be very dangerous for the integrity of the application. All roles and access control should be defined not only for developers, but for all the people that are involved in the use of Internet applications. We must therefore take the time to outline the roles of the different levels of access for each user. Note that any software to support applications may be different, but the policy application access can still be very effective.
Security measures and tools
A well-defined security policy template includes the use of an encryption algorithm for data exchanged with a web application. Users should help you determine the data that is so precious to encrypt and must actively participate in the process of identifying security vulnerabilities in order to identify threats. Some of the available resources must be protected much more strongly than others.
The implementation of mechanisms such as firewalls for web applications, helps to protect enterprise applications and websites from the majority of possible hazards, so you can avoid costly downtime and other security incidents. Companies may be advised to seek solutions with PCI-certificated WAF because it allows it to protect a particular web application against most possible attacks on the application. Some deals allow the use of custom security policies that enable enforcement of security policies and the ability to eliminate false alarms. Modern solutions also allow you to protect applications through the use of collective knowledge about existing threats. The information is aggregated using data analysis tools.
Disaster recovery and application-back mechanisms
In any organization they should be used for data recovery solutions and immediate response in high-risk situations. Selected strategies should be used to reduce the possibility of exposure to attack. Tools for disaster recovery should act as soon as possible to support proper risk assessment. On the other hand, all incidents should be evaluated in accordance with the real level of hazard including all infrastructure and all applications in a given environment.
Alerting mechanisms can obviously include activities such as moving an application to off-line environment or stopping data leakage in real time. This can happen automatically when the level exceeds the acceptable level threats. Emergencies should be immediately directed for amendment, unless there are other ways to reduce exposure data.
Other measures
Most web applications offer the resources and credentials that can store user data in the form of shortcuts and encrypted data. This is particularly necessary when dealing with the database or configuration files. It should also provide for such a possibility, when raw ACLs can be used to protect user credentials. Companies should also use white lists of data requests and black lists of commands should not be carried out in the system.
If the requests are used to construct SQL queries, avoid vulnerabilities that allow hackers to manipulate queries and their substitution. If possible, avoid using dynamic queries, arguments in quotation marks and special characters. In general, all entrances to the databases should be filtered and determined by very strict validation rules.
Compliance measures and business benefits When it comes to compliance, any breach of security policies should be subjected to examination and consequences should be drawn against the people who deliberately violated security policy. Each access to the web should be evaluated as a requirement of compiled security policy, unless they have been exempted from the security policy. All requests should be regularly updated to take account of the screening process. All web applications that do not have adequate security controls should not be found in the public network to the time when they are integrated with global security policy.
All of these actions that can be taken, will result in real business benefits that reveal the shortcomings of downtime while using the application. Companies that have truly secure applications may actually attract more customers. In addition, organizations that create security policy templates can now reap the benefits of technical advantages, such as the preservation of data integrity and security, low cost developments and high application availability. These factors may increase the company’s reputation in the industry and among customers. In the end, keeping a consistent security policy will help to bridge the gap between best practices and compliance mechanisms for security.
Przeczytaj ten artykuł w wersji polskiej: http://www.businessmantoday.org/najczesciej-pope…rzenia-aplikacji/