Four Things You Shouldn’t Forget About Web Application Security
Eliminating all vulnerabilities from your web application is an important part of maintaining your overall security posture. As part of that process, web application vulnerability scanners play a crucial role in that they provide an efficient and effective method of exposing vulnerabilities and helping to keep your application online and secure.
Because automated web security scanners play such a crucial role in the process of web application security, it’s easy to forget that there are many other elements of security that also deserve your attention.
In this post, we’re going to cover some of the “other” important security elements that are often overlooked — both in terms of the application itself as well as the infrastructure.
Don’t Let Infrastructure be Your Weakest Link
Like everything else, a strong security posture starts with the foundation. As important as it is to eliminate web application vulnerabilities, efforts may be wasted in the event that your application resides on an insecure web server, or you’re running insecure software, as what happened in theinfamous Mossack Fonseca and Panama papers leak.
We’re not going to get into the process of securing your web server other than to point out a few of the obvious ways that you can harden your security. However, as an example, if you’re running a popular open source option like LAMP stack, there are some straightforward actions you can take such as:
- Make sure you are running the latest version of Apache
- Disable any unused or unnecessary modules
- Prevent the version number, operating system and installed modules from being displayed
- Disable/Prevent directory browsing
- Limit the total HTTP request size to reduce the probability of a DDoS Attack
- Enabling Apache Logging
There are a multitude of additional steps you can take to reduce your overall exposure including:
- Eliminating remote access or at the very least, restricting remote access to a limited number of IP’s and users
- Using a separate environment for development, testing and production. Amazon EC2 makes the process of setting up temporary testing and development environments relatively simple which limits access to your production environment.
If you’re unsure of how to configure your server, get advice from your server admin or system engineer.
Manage User and Application Privileges Responsibly
The best way manage user privileges is by following the principle of least privilege (POLP). POLP states that each individual user should have their access limited to the minimal level required complete their necessary tasks. The same rule applies to web applications — assign the minimal level of permissions required for normal functioning.
Managing privileges is something that can occur on a variety of different levels — including the server, database and software level. For example, if you are running WordPress, full administrator privileges is something that should be restricted to very few users. Even at the administrator level, there are certain functions that can be disabled in order to further harden security. Read the Principle of Least Privileges for WordPress for more specific information on POLP on WordPress.
Keep Software Up To Date
As vulnerabilities are discovered and patches are released, it’s important to keep all of your software up to date. We can approach this from two angles:
The first is making sure that any software you’re using is running on the current version. This is an issue we see frequently on platforms like WordPress and with JavaScript libraries. Looking at currentWordPress statistics, over 15% of installations are currently running version 3.9 or older.
In many instances, using a web application vulnerability scanner will help in this regard. For example, if your web application is using a JavaScript librarythat is out of date, ideally you should be alerted not only that the library is out of date but also which vulnerabilities are associated with your particular version.
Secondly is the importance of keeping your scanning software up to date. If you are using a desktop based scanner, make sure you’re using a version with the most recently updated vulnerability library — cloud-based vulnerability scanners will be automatically updated.
[adsense size='1']
Know What’s Happening On Your Web Application
Finally, one security measure that is often overlooked is the process of monitoring and logging user activity. Web application logs provide a multitude of benefits. The most important of which is the ability to help improve your web application security.
Monitoring user activity is often one of the first steps in determining when an attack might be underway. Even though only a very small percentage of users are malicious, logging can help to identify those users and block them from taking any further action.
Logging user actions can also help to identify ways in which your web application might be vulnerable or for identifying potential misuse. If you are able to identify, track, record and alert administrators of suspicious activity, it is often possible to make changes to your application before an attack occurs or even halt a malicious user before it becomes a major security issue.
Manage Web Application Security From a Holistic Standpoint
Managing web application security is a complicated process. There are many moving parts that need to be managed concurrently. Unfortunately, the vast number of systems that require attention for even a basic web application, often result in one aspect of security being overlooked.
When assessing overall security posture, we often default to the technical aspects of security — scanning for and patching web application vulnerabilities. However equally important is the ability to manage the most obvious elements that are often the source of our problems. This includes things such as web server security, limiting user privileges, properly maintaining software and being aware of how users are interacting with your application. Your web application security posture is only as strong as the weakest link.
Gloss