{"id":4253,"date":"2016-08-25T01:07:35","date_gmt":"2016-08-24T17:07:35","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4253"},"modified":"2017-10-03T19:30:51","modified_gmt":"2017-10-03T11:30:51","slug":"an-introduction-to-web-application-security-systems","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/08\/an-introduction-to-web-application-security-systems\/","title":{"rendered":"An Introduction To Web Application Security Systems"},"content":{"rendered":"
In the world of web application security systems, there exists a myriad of systems to protect public-facing services in any number of ways. They come packed with all the elements necessary to play an action-packed round of buzzword bingo, but they often overlap in some ways that may make them sometimes seem similar.\u00a0After the second or third pitch of how each product delivers whatever acronym, it sometimes becomes difficult to ask yourself which one you need the most.<\/p>\n
<\/p>\n
Well, quite frankly, you probably need all of them.<\/em><\/p>\n The potential for overlap can often cause pause for question: Why is one solution not the best fit for all problems?\u00a0<\/p>\n This sounds like an absurd question when phrased this way, but as is the case more often than not in IT, this very question is posed in one form or another from management to the security engineering team.\u00a0In this article, we will provide a brief, high-level breakdown of what each type of web application security systems is, and why you likely need a mixture of all of them.<\/p>\n In the Open Systems Interconnection, or OSI model, a network connection is abstracted into seven layers.\u00a0A typical firewall may exist on layers 3 or 4, handling border routing or connection gatekeeping, but the most damaging attacks against web services are at the 7th layer, against the web application itself.\u00a0This is where a Web Application Firewall (WAF) becomes a crucial asset.<\/p>\n Pros<\/strong><\/p>\n Cons<\/strong><\/p>\n If you’re on Amazon they recently introduced their own WAF solution<\/a>, there’s also NAXSI<\/a> and the evergreen ModSecurity<\/a> of course.<\/p>\n The oldest and most mature security methodology in this list, security source code audit remains a critical core component of a strong security posture to this day due to its invaluable benefits.\u00a0 Code audit is part of a process known as \u201cdefensive programming,\u201d where a software is designed to be resilient and resistant to invalid data or misuse of the software.\u00a0Commonly, this named practice is applied to lower level languages that have far more restrictive bounds (e.g. strcpy in C), but web applications also have critical bounds that a SCA can detect (such as XSS and SQL injection vulnerabilities<\/a>).<\/p>\n Pros<\/strong><\/p>\n Cons<\/strong><\/p>\n There are various static analysis tools that can help you run code audits such as:<\/p>\n – Brakeman \u2013 Static Analysis Rails Security Scanner<\/a> And more<\/a>..<\/p>\n A source code audit normally focuses only on the components of the whole application, applying methods of unit or integration testing that simulate certain conditions or data.\u00a0However, much like how car manufacturers not only test the components but also the assembled car itself, web application security is no different.\u00a0A thorough test must not only include the components, but the summation of the parts as a whole as well.\u00a0A web security scanner does just this, emulating real-world traffic (specifically attacks) in order to find areas of weakness.<\/p>\n Pros<\/strong><\/p>\n Cons<\/strong><\/p>\n Even with the most thorough and intensive source code audit, web vulnerability scan, and<\/em> adaptive web application firewall, there still exists potential for a hacker to compromise a system.\u00a0 As stated previously, humans are fallible and problems can still slip through.\u00a0 If a web application or ancillary system (such as a database or key\/value store) is connected to the Internet, directly or indirectly, one should assume it can be compromised, no matter what protections you put in place.\u00a0 Intrusion detection and prevention exists to find and limit when this happens.<\/p>\n Pros<\/strong><\/p>\n Cons<\/strong><\/p>\n There are various options here too like:<\/p>\n – Smooth-Sec \u2013 IDS\/IPS (Intrusion Detection\/Prevention System) In A Box<\/a> As demonstrated above, there is indeed some overlap between all these web application security solutions, so it is easy to see how one could think that not all are necessary.\u00a0However, also as demonstrated above, there are many things that are highly unique to each solution.\u00a0The overlap is also a good thing.\u00a0A source code audit and web vulnerability scanner<\/a>, for example, may both highlight similar potential problems, but they do so in largely different ways.\u00a0What may be discoverable during an SCA may go undetected by a scanner, and vice versa.<\/p>\n The overlap, therefore, is actually a net gain in the end.\u00a0Not only will each solution in combination provide many tangible benefits for the security posture of the web application, but they also act as a sort of check against each other to ensure that what goes missed in one solution may be detecting in another.\u00a0Indeed, the most appropriate response is to, wherever possible, implement all<\/em> of the aforementioned solutions, not just some.<\/p>\n","protected":false},"excerpt":{"rendered":" In the world of web application security systems, there exists a myriad of systems to protect public-facing services in any number of ways. They come packed with all the elements necessary to play an action-packed round of buzzword bingo, but they often overlap in some ways that may make them sometimes seem similar.\u00a0After the second […]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"In the world of web application security systems, there exists a myriad of systems to protect public-facing services in any number of ways.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[12],"tags":[8724,4784,6465,396,2601],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4253"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4253"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4253\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}WAF \u2013 Web Application Firewall<\/h3>\n
\n
\n
SCA – Source Code Audit<\/h3>\n
\n
\n
\n– Codesake::Dawn \u2013 Static Code Analysis Security Scanner For Ruby<\/a>
\n– Graudit \u2013 Code Audit Tool Using Grep<\/a>
\n– Yasca \u2013 Multi-Language Static Analysis Toolset<\/a>
\n– RIPS \u2013 Static Source Code Analysis For PHP Vulnerabilities<\/a><\/p>\nWeb Application Security Scanners\/Web Vulnerability Scanners<\/h3>\n
\n
\n
IDP \u2013 Intrusion Detection and Prevention<\/h3>\n
\n
\n
\n– pytbull \u2013 Intrusion Detection\/Prevention System (IDS\/IPS) Testing Framework<\/a>
\n– Suricata \u2013 Open Source Next Generation Intrusion Detection and Prevention Engine<\/a><\/p>\nSummary of Web Application Security Systems<\/h3>\n