Your First Step to a Highly Secure Web Site

Web Application Vulnerability Assessment Essentials: Your First Step to a Highly Secure Web Site If an organization isn't taking a systematic and proactive approach to web security, and to running a web application vulnerability assessment in particular, then that organization isn't defended against the most rapidly increasing class of attacks. Web-based attacks can lead to lost revenue, the theft of customers' personally identifiable financial information, and falling out of regulatory compliance with a multitude of government and industry mandates: the Payment Card Industry Data Security Standard (PCI) for merchants, HIPAA for health care organizations, or Sarbanes-Oxley for publicly traded companies. In fact, the research firm Gartner estimates that 75 percent of attacks on web security today are aimed straight at the application layer.

While they're described with such obscure names as Cross-Site Scripting, SQL Injection, or directory transversal, mitigating the risks associated with web application vulnerabilities and the attack methods that exploit them needn't be beyond the reach of any organization. This article, the first in a three-part series, will provide an overview of what you need to know to perform a vulnerability assessment to check for web security risks. It'll show you what you can reasonably expect a web application security scanner to accomplish, and what types of assessments still require expert eyes. The following two articles will show you how to remedy the web security risks a vulnerability assessment will uncover (and there'll be plenty to do), and the final segment will explain how to instill the proper levels of awareness, policies, and technologies required to keep web application security flaws to a minimum - from an application's conception, design, and coding, to its life in production.

Just What Is a Web Application Vulnerability Assessment?

A web application vulnerability assessment is the way you go about identifying the mistakes in application logic, configurations, and software coding that jeopardize the availability (things like poor input validation errors that can make it possible for an attacker to inflict costly system and application crashes, or worse), confidentiality (SQL Injection attacks, among many other types of attacks that make it possible for attackers to gain access to confidential information), and integrity of your data (certain attacks make it possible for attackers to change pricing information, for example).

The only way to be as certain as you can be that you're not at risk for these types of vulnerabilities in web security is to run a vulnerability assessment on your applications and infrastructure. And to do the job as efficiently, accurately, and comprehensively as possible requires the use of a web application vulnerability scanner, plus an expert savvy in application vulnerabilities and how attackers exploit them.

Web application vulnerability scanners are very good at what they do: identifying technical programming mistakes and oversights that create holes in web security. These are coding errors, such as not checking input strings, or failure to properly filter database queries, that let attackers slip on in, access confidential information, and even crash your applications. Vulnerability scanners automate the process of finding these types of web security issues; they can tirelessly crawl through an application performing a vulnerability assessment, throwing countless variables into input fields in a matter of hours, a process that could take a person weeks to do manually.

Unfortunately, technical errors aren't the only problems you need to address. There is another class of web security vulnerabilities, those that lay within the business logic of application and system flow that still require human eyes and experience to identify successfully. Whether called an ethical hacker or a web security consultant, there are times (especially with newly developed and deployed applications and systems) that you need someone who has the expertise to run a vulnerability assessment in much the way a hacker will.

Just as is the case with technical errors, business logic errors can cause serious problems and weaknesses in web security. Business logic errors can make it possible for shoppers to insert multiple coupons in a shopping cart - when this shouldn't be allowed - or for site visitors to actually guess the usernames of other customers (such as directly in the browser address bar) and bypass authentication processes to access others' accounts. With business logic errors, your business may be losing money, or customer information may be stolen, and you'll find it tough to figure out why; these transactions would appear legitimately conducted to you.

Since business logic errors aren't strict syntactical slip-ups, they often require some creative thought to spot. That's why scanners aren't highly effective at finding such problems, so these problems need to be identified by a knowledgeable expert performing a vulnerability assessment. This can be an in-house web security specialist (someone fully detached from the development process), but an outside consultant would be preferable. You'll want a professional who has been doing this for awhile. And every company can benefit from a third-party audit of its web security. Fresh eyes will find problems your internal team may have overlooked, and since they'll have helped hundreds of other companies, they'll be able to run a vulnerability assessment and quickly identify problems that need to be addressed.

Conducting Your Vulnerability Assessment: The First Steps

There are a number of reasons your organization may need to conduct a vulnerability assessment. It could be simply to conduct a checkup regarding your overall web security risk posture. But if your organization has more than a handful of applications and a number of servers, a vulnerability assessment of such a large scope could be overwhelming. The first thing you need to decide is what applications need to be assessed, and why. It could be part of your PCI DSS requirements, or to meet HIPAA requirements. Or the scope could be the web security of a single, ready-to-be-deployed application.

Once you've figured out the scope, you need to prioritize the applications that need to be assessed. If you're accessing a single, new application, that decision is easy. But if you're on the precipice of accessing every web application in your architecture, you have some decisions to make. Whether you're looking at the web security of applications you own, or only those that take part in online sales transactions, you need to inventory and prioritize the applications to be assessed.

Depending on the scope and purpose of your vulnerability assessment, it makes sense to start looking at the web security of your crucial applications first - for instance, those that conduct the most transactions or dollar volume - and work down from there. Or it could be starting with all applications that touch those that process and store sales transactions.

No matter your scope, or the purpose of your vulnerability assessment, other aspects of your architecture always need to be considered when listing and prioritizing your applications. For instance, any externally facing applications - even those that don't contain sensitive information - need to be given high priority. The same is true for externally hosted applications, whether they are Internet-facing or directly connected to back-end systems. Any applications that are accessible by the Internet, or hosted by others, should be subject to a vulnerability assessment. You can't assume that an application is secure just because it is hosted by a third-party, just as you can't assume that just there is no risk just because a web application, form, or entire site doesn't handle sensitive information. In both cases, any web security vulnerabilities could very likely lead an attacker directly to your most critical network segments and applications.

The Vulnerability Assessment

Now you're ready for the vulnerability assessment. Believe it or not, much of the hard work is already done: deciding the scope, and then classifying and prioritizing your applications. Now, assuming you've already acquired a web security scanner and have identified who will conduct the manual scan for business logic errors, you're ready to take a whack at your application.

The resulting report, based on the security health of the application, will provide you a list of high, medium, and low priority vulnerabilities. At this point, you'll need someone to vet the automated vulnerability assessment results to find any false positives, or vulnerabilities identified by the scanner, but don't actually exist. If it seems overwhelming, don't fret; we'll delve into how to prioritize and remedy these web security vulnerabilities in the next installment. About the same time as your automated vulnerability assessment, the manual assessment will be underway. During the manual assessment, the expert will look for logic errors in the application: Is it possible for users to conduct transactions in ways the developers hadn't anticipated? Such as the ability of someone to tamper with application values that are being passed from the client to the server to alter the price of an item. The manual vulnerability assessment will end with a list of all vulnerabilities to web security found, and the assessor should prioritize the risks posed by each problem - based on the ease of exploiting the vulnerability, and the potential harm that could result if an attacker is successful.

Now you have your list of web security vulnerabilities, both technical and logic. And, if your organization is like most others, you have some remedying work to do. The challenge now is to prioritize what needs to be fixed, so that your existing applications can be hardened, and those being built can be remedied and safely placed into production.

While the list of web security issues may be long, you've completed the first major phase on the road to a highly secure application. Take comfort in the fact that your vulnerability assessment has identified problems in your applications before they were attacked by competitors, lone-hackers, or organized crime. In the next article, Effective Web Application Vulnerability Remediation Strategies, we'll show you how to prioritize your remediation work so that development time isn't prolonged, and existing applications at risk are remedied before they can be attacked.

About Caleb Sima

Caleb Sima is the co-founder of SPI Dynamics, a web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics' R&D security team. Prior to co-founding SPI Dynamics, Caleb was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Caleb is a regular speaker and press resource on web application security testing methods and has contributed to (IN)Secure Magazine, Baseline Magazine and been featured in the Associated Press.

About Vincent Liu

Vincent Liu, CISSP, CCNA, is the managing director at Stach & Liu, a professional services firm providing advanced IT security solutions. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Vincent is an experienced speaker and has presented his research at conferences including BlackHat, ToorCon, and Microsoft BlueHat. He has been published in interviews, journals, and books with highlights including: Penetration Tester's Open Source Toolkit; Writing Security Tools and Exploits; Sockets, Shellcode, Porting, and Coding; and the upcoming Hacking Exposed: Wireless.

Article Source: http://www.site-reference.com/articles/Website-Development/Your-First-Step-to-a-Highly-Secure-Web-Site.html

Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best?

Over the past several years I have heard people asking the question "should I use vulnerability analysis tools to assess my web based applications or should I look to penetration testing?" I think we, as an industry, may be asking the wrong question. First, let's look at how the web application industry has grown over the years and how penetration testing has scaled to meet that challenge.

Pre-2000

Before the year 2000, some companies had a web site for marketing purposes and a few companies were starting to do a little business on the web. There were of course a lot of DotComs around selling things on the web, but real "brick and mortar" businesses were just using the web as a marketing tool. The brick and mortar businesses who understood security started asking their experts in penetration testing to check out these web applications. Using some simple vulnerability analysis tools, those penetration testing experts did a good job checking for simple web application security issues. There were a few people running around that really knew how to test a web application, but not many. At this time, there were a few open source vulnerability analysis tools in existence, but the market was in its infancy.

Early 2000s

After the DotCom bust, companies actually started to use the web and web-based applications for both internal and external applications. Most applications still existed on non-web-based platforms, but developers started moving their legacy applications into web-based environments. Developers found that creating a web-based application was a bit more complicated, but deploying it via a browser made it all worthwhile. In addition, customers now wanted to transact their business via the web, and as a result, companies started to provide some of their services via a web application.

Security commonly responded to this change in one of two ways. One approach that worked was to hire or contract more penetration testing experts and to try to test all web-based applications before they went live. This worked in some cases, but usually there was not enough support for the penetration testing so only critical applications were tested, leaving non-critical applications open to attack. The other approach was to assess the web-based application with vulnerability analysis tools before it went live. This approach scaled much better than the penetration testing route, but would frequently miss vulnerabilities that really should have been discovered.

Usually, a combination of stand-alone vulnerability analysis tools and penetration testing was used in an attempt to get full application coverage. This yielded good results, but most security organizations were still quickly overwhelmed by the number of web-based applications that needed to be assessed. Also, this approach typically found vulnerabilities after the application had been developed, tested and was ready for production. This frequently caused companies to go live with vulnerable applications or go back to development and fix the issue.

The Right Question (Where we are today)

Today, the problems of the early 2000s have only worsened. The proliferation of web-based interfaces and applications has spread to every part of our lives and businesses. With this growth, we are not only seeing new groups within companies use web-based applications, but we are also seeing that these same groups are using web-based applications for everything they do on the computer. And these applications are also becoming more complex.

When faced with this type of environment, many web application security experts ask the question, "Should I use vulnerability analysis tools or hire more staff for penetration testing?" I think this is the wrong question. What we should be asking is, "If I have so many people developing web-based applications, how do I get them to do it in the secure way?" The people involved in creating the web-based applications will need to become part of the solution, not the cause of the problem. Developers and QA testers will need to understand how to develop a web-based application that is secure, and they will need vulnerability analysis tools to help them verify that they are doing the right thing. And providing developers with an automated way to test their applications can help them find web application security issues much earlier in the process.

Training for QA professionals is also critical. These professionals need to know how to look for web-based security issues and then need to have vulnerability analysis tools that help them test for security issues. They also need a way to integrate these vulnerability analysis tools into their existing defect tracking systems. This integration allows for tracking of issues as well as generating metrics around what type of issues are being created by the developers.

At the enterprise level, we need ways to assess applications that are in production and understand what the enterprise looks like from a web application security perspective. These tests should include issues resulting from development, QA and production, as well as the in-depth data that penetration testing will continue to generate. Having an enterprise view allows executives to understand where their risks are and what an appropriate response to the risks should be.

As for penetration testing, it will continue to be a core part of the web application security landscape. The fact is that there are some web application security issues that vulnerability analysis tools just don't do a great job of finding. These vulnerability analysis tools get better every day but they have a long way to go before they can be considered a "mature" product family. The web application security assessment industry is still quite young and the security landscape is changing quickly.

The fact is, the need for those experienced in penetration testing will continue to increase. We will need them to continue to do more assessments and to do more in-depth assessments that vulnerability analysis tools will not be able to fully execute. We will also need them to train developers and QA professionals in how to test web-based applications. Web application penetration testing is still a rare skill that vulnerability analysis tools cannot replace, and we need the people that are creating the web-based applications to develop applications more securely and to help develop processes to promote and verify the security of applications.

Dennis Hurst is a Developer Security Evangelist for SPI Dynamics where he works with development organizations evangelizing the need to integrate web application security into their Web development processes. A Microsoft Developer Security MVP, Dennis has more than 15 years experience in the Information Systems/Application Development industry, and he is an expert in computer applications and networks.

Article Source: http://www.site-reference.com/articles/General/Penetration-Testing-vs-Vulnerability-Analysis-Tools-Which-Is-Best.html

Apache, MySQL & PHP for Windows

Apache, MysQL and PHP for Windows could be a nice nice thing to have on your Windows workstation. You could try and experiment with all kinds of nice PHP and MySQL based applications right on your Windows desktop running Apache, instead of having to access a full-featured server.

Most people have Windows as their workstation and it can be sometimes difficult to switch to another operating system. So, you may have always wanted to run PHP applications on your Windows machine but wondered if it is too difficult to install or if the hassle will be worth it.

This article gives you the essential information to get started right away. Even if you are a seasoned PHP, MySQL and Apache guru, the checklist below will still be helpful in your installation process.

There are lots of 3rd party software that bundles Apache, MySQL & PHP in one package and installs them on our computer. We do not recommend this and suggest that you directly get Apache, MySQL & PHP from their official sites.

Apache
1. Get Apache 1.3.33 from here: http://httpd.apache.org/download.cgi.
2. Choose a mirror close to you and in the same page, look for the Win32 Binary (Self extracting) file: apache_1.3.33-win32-x86-no_src.exe.
3. Download the file and save it on your hard disk. Run the installer and the self-extracting wizard will guide you through the rest of the steps. Choose all the default settings and run Apache as a service.
4. Remember to put "localhost" when asked for a Server name/Domain name. Use "administrator@localhost" when asked for the administrative email account.
5. Now point your browser to: http://localhost and you should see an Apache Test Page.
6. You can change this page by creating an "index.html" page here "C:Program FilesApache GroupApachehtdocs".
7. You can manually start and stop the Apache server. In a Windows command prompt, type "net stop apache" or "net start apache".

MySQL
1. Get MySQL 4.1.7 from here: http://dev.mysql.com/downloads/mysql/4.1.html
2. Under the Windows downloads section, choose Windows Essentials (x86) and click on the Pick a Mirror link.
3. Download the file mysql-4.1.7-essential-win.msi and save it on your hard disk. Run the installer and the self-extracting wizard will guide you through the rest of the steps. Remember the root password when prompted for it in the installation process.
4. Once the installation is done, on your Windows toolbar, go to "Start->Programs->MySQL->MySQL Server 4.1->MySQL Command Line Client".
5. Type the root password and you should be logged in to the MySQL shell.
6. Type "show databases;" to see the list of databases. Type "quit" when you are done.

PHP
1. Get PHP 4.3.10 from here: http://www.php.net/downloads.php
2. Under the Windows Binaries section, choose the file: PHP 4.3.10 zip package size 7,405Kb dated 15 Dec 2004.
3. Download the file and save it on your hard disk. Unzip the file and rename the extracted folder to "php". Now move this folder "php" and place it under "C:Program Files".
4. Move all the files under "C:Program Filesphpdlls" and "C:Program Filesphpsapi" to here: "C:Program Filesphp".
5. Copy the file php.ini-recommended to "C:WINDOWS" and rename it to php.ini
6. Edit your Apache "httpd.conf" configuration file located here: "C:Program FilesApache GroupApacheconf".
7. Add the following lines in httpd.conf:

LoadModule php4_module "C:/Program Files/php/php4apache.dll"
AddModule mod_php4.c
AddType application/x-httpd-php .php

8. Now stop your server by issuing the following command in Windows command prompt: "net stop apache". Then type "net start apache" to start your server. We are now going to test the PHP installation.
9. Go to "C:Program FilesApache GroupApachehtdocs" and create a file test.php
10. Edit test.php and add the following code:
phpinfo();
?>
11. Point your browser to http://localhost/test.php and you should see a lot of PHP configuration information.

Congratulations! You now have Apache, MySQL and PHP installed in your computer. Now you can install your favorite script right on your Windows workstation.
About the Author
Sanjib Ahmad, Freelance Writer and Product Consultant for Business.Marc8.com - Top 10 Business Best Selling Books. You are free to use this article in its entirety as long as you leave all links in place, do not modify the content, and include the resource box listed above.

Article Source: http://www.site-reference.com/articles/Website-Development/Apache-MySQL-PHP-for-Windows.html

Apache, Mysql

"Even if you are a seasoned PHP, MySQL and Apache guru, the checklist below will still be helpful in your installation process."

Apache, MysQL and PHP for Windows could be a nice nice thing to have on your Windows workstation. You could try and experiment with all kinds of nice PHP and MySQL based applications right on your Windows desktop running Apache, instead of having to access a full-featured server.

Most people have Windows as their workstation and it can be sometimes difficult to switch to another operating system. So, you may have always wanted to run PHP applications on your Windows machine but wondered if it is too difficult to install or if the hassle will be worth it.

This article gives you the essential information to get started right away. Even if you are a seasoned PHP, MySQL and Apache guru, the checklist below will still be helpful in your installation process.

There are lots of 3rd party software that bundles Apache, MySQL

Sanjib Ahmad, Freelance Writer and Product Consultant for Business.Marc8.com (http://business.marc8.com/). You are free to use this article in its entirety as long as you leave all links in place, do not modify the content, and include the resource box listed above.

Article Source: http://www.site-reference.com/articles/General/Apache-Mysql.html

The Pros and Cons of Web Applications

There has been a long running debate about web applications replacing desktop software applications. While some functions are better suited to web applications. It is my belief that security concerns and legacy systems will prevent desktop software from becoming obsolete.

Some argue that the debate between web applications and desktop applications is pointless; as their is no clear answer. While still others argue that the issue at hand is as much a business and marketing issue, as it is a technological issue.

What Defines a Web Application Vs a Desktop Application?
A web application is an application delivered to users from a web server like the Internet. Some businesses run web applications on an intranet, as well. Web applications are becoming more popular due to the widespread use of the web browser as a client.

Some applications are better suited and more likely to become successful as web applications. Web applications designed specifically for search engine optimization, have become increasingly popular. It is easy to understand why web applications that relate to the Internet would prosper, while business applications may have less appeal in a web environment.

A desktop application is a self-contained program that performs a defined set of tasks under the user control. Desktop applications run from a local drive and do not require a network or connectivity to operate or function properly, though if attached to a network desktop applications might use the resources of the network.


Pros and Cons to Desktop and Web Applications:

Easily Accessible
Web applications can be easily accessed from any computer or location that has Internet access. Travelers especially benefit from the accessibility. This often means that if a traveler has access to a computer, phone or handheld with Internet connectivity they can utilize the web application.

Low Maintenance & Forced Upgrades
Desktop applications need to be individually installed on each computer, while web applications require a single installation.

Many web applications are hosted by a 3rd party and the maintenance fall under the applications hosts responsibility. The ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for the popularity of web based applications. This can be a blessing and a curse as users of web applications on hosted systems are at the mercy of the host, if an upgrade does not go well, or the individual user doesn't want or need the new features the upgrade will still go forward.

Increased Security Risks
There are always risks involved when dealing with working online, regardless of how secure a host might say a web application is, that fact of the matter stands that the security risk of running an application of the Internet is more significant than when running an application on a standalone desktop computer. Some applications require more security than others, playing Sudoku on a web application would cause little concern, but dealing with sensitive corporate formulas or accounting details in a web environment might be determined risky.

Cost
Over the life of the software use, web applications are typically significantly more expensive over time. Desktop applications are purchased outright and rarely is their a recurring fee for the software use. Some desktop applications do have maintenance fees or fee based upgrades associated with them, but rarely is there a subscription fee associated with the software's ongoing use.

Many corporate web applications use a different model, users typically are charged monthly service fee to operate the software. Fees are considered "subscription fees". If you fail to renew your subscription you may be unable to access the data stored in the web application.

Connectivity
Web applications rely on persistent and unmanaged connectivity. If you do not have an Internet connection or if your host does not have Internet connectivity you cannot access the information. Critical applications or businesses that are time sensitive cannot risk denial of service attacks or power outages to interrupt their operations and access data that is sensitive.

Slower
Web applications that rely on the Internet to transfer data rather than a computer's local hard drive, may operate slower. The speed may also vary based on number of users accessing the application.

Backups & Ownership.
Regardless of the platform, companies need to be sure that their data is appropriately backed up. When using a web application that are hosted by a third party, companies should clearly determine who owns the data housed in the application, and be sure that privacy policies prevent that data from being used by the web host.

Ultimately the accessibility of web based applications make them very desirable. Web applications have some fundamental limitations in their functionality, and are better suited for specific tasks. Understanding the pro's and con's to each business model, will help users determine whether a desktop application or web application will better suit their needs.

Sharon Housley manages marketing for FeedForAll http://www.feedforall.com software for creating, editing, publishing RSS feeds and podcasts. In addition Sharon manages marketing for NotePage http://www.notepage.net a wireless text messaging software company.

Article Source: http://www.site-reference.com/articles/General/The-Pros-and-Cons-of-Web-Applications.html