Web Application Security: Minimizing the Risk of Attacks

Tuesday, April 19, 2011

Sasha Nunke


Vulnerabilities in web applications are now the largest source of enterprise security attacks. Web application vulnerabilities accounted for over 55% of all vulnerabilities disclosed in 2010, according to an IBM X-Force study.

That may be the tip of the iceberg as the study includes only commercial web applications.1 Stories about compromised sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these often fall outside the traditional expertise of network security managers.

The relative obscurity of web application vulnerabilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions.

To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the QualysGuard Web Application Scanning solution – an on demand service from Qualys that automates detection of the most prevalent vulnerabilities in custom web applications.

Overview of Web Application Security

Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and semantics.

Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting.

A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these require manual inspection of web application source code analysis and security testing.

Web application security vulnerabilities can stem from misconfigurations, bad architecture, or poor programming practices within commercial or custom application code.

Vulnerabilities may be in code libraries and design patterns of popular programming languages such as Java, .NET, PHP, Python, Perl, and Ruby. These vulnerabilities can be complex and may occur under many different circumstances.

Using a web application firewall might control effects of some exploits but will not resolve the underlying vulnerabilities.

Download this Free White Paper HERE

Other Complimentary White Papers Available from Qualys:

Strategies For The Efficient CISO

The Big Shift to Cloud-Based Security

Top 10 Reports for Managing Vulnerabilities

Managing Risk and Keeping Your Network Secure

Understanding and Selecting a Database Assessment Solution

Possibly Related Articles:
Vulnerabilities Web Application Security Attacks Guidelines Enterprise Qualys Risk
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.