How can you go about ensuring that your web application is truly secure? David Gitonga discusses potential web application entry points and how you can protect yourself against targeted attacks on existing vulnerabilities.
Secure Sockets Layer (SSL) is probably one of the best known security measures. To be truly secure however, current security needs demand more than data encryption. SSL is limited in that it does not make a website secure. SSL offers encryption for information sent to and from a website. SSL however has no way of ensuring security at the server level and therefore cannot protect private data stored on a website.
In addition, utilizing website vulnerability scanners alone to protect your website does not guarantee security. Vulnerability scanners usually neglect the security of custom web applications that reside on the web server. This means that if a custom web application has a security flaw; it will not be detected since the scanner is programmed to identify flaws within its signature database.
In order to be truly secure, a web application should be immune to SQL injections, session hijackings, session tampering, cross site scripting and brute force attacks among other vulnerabilities. How can you go about ensuring your web application is truly secure?
Application access security is implemented by "Roles and Rights Management." For example, a hospital management system should not give a receptionist access to a patient's laboratory tests since their job is only to register patients and schedule appointments. Any menus, forms and screens related to the lab should therefore not be visible. A thorough testing of all roles and rights is thus needed to ensure that every role accesses its own screens, forms and modules.
Data encryption is a critical security test. Any data stored in the database like passwords, user accounts and credit card information must always be encrypted. In addition, the flow of critical business information, even within the application must be encrypted to make it safe. When testing for data security, a tester should query the database for business critical and sensitive data to verify that it has been saved in an encrypted format. Of importance are the different "submit" actions and whether any information is being displayed in the address bar of the web browser.
SQL injections are the most prevalent and dangerous attacks on the Internet today. They take advantage of web application vulnerabilities to take control of databases which exposes confidential information. Auditing and remediation of exploitable software vulnerabilities should be an ongoing approach to identify and block any back-end security holes. Recently, Oracle released the Oracle Database Firewall that helps protect against SQL exploits. The firewall provides multiple layers of security making it difficult to penetrate protected databases.
XSS (Cross Site Scripting)
Other ways to ensure web application security includes brute-force attack prevention by account suspension or blocking when login attempts fail and the testing of service access points to ensure that data downloads and uploads have set security restrictions such as virus scanning and file size limits.