Web Application Security Challenges
As enterprises expand their e-commerce sites, the complexity of securing the associated web applications also grow. Most companies equip their e-commerce sites with Secure Socket Layer (SSL), Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) as well as host and network-based security systems. However, most of the cyber-attacks and vulnerabilities occur in the web applications. Since these technologies alone cannot effectively protect web applications, it is crucial to implement industry proven measures to guard the sensitive informational assets. This paper explores the current web application security challenges and proposes the measures that can be taken to improve the security of the organization’s web application. In the same context, it highlights the internal practices and procedures that should be used to validate the web application of the enterprise.
E-commerce has various technological and business drivers, which include both risks and benefits. Therefore, developing an effective strategy entails considering the potential advantages while weighing the possible perils. In this context, risks include loss of intellectual property (IP), business disruptions, public relations (PR) debacles, damaged partner and customer relations, damaged company reputation, and fraud. In response to these challenges, enterprises must develop or adopt security policies or best practices for their web applications to ensure confidentiality, integrity, and availability (CIA) of web applications. Such policies would involve authorization, authentication, and accountability concentrating on the potential vulnerabilities and threats (Gregory, 2015). To ensure business continuity, the company must strive to identify and prevent any potential threat, as well as mitigate any intrusion (Said, Romadi, & Bounabat, 2015). Research indicates that there are various means to secure e-commerce site and transactions from the ever-increasing cyber threats. Some of the prevalent hazards include sensitive data exposure, cross-site scripting (XSS), injection vulnerabilities, broken authentication, security misconfigurations, and insecure direct object references (Mookhey, 2010; OWASP, 2013).
Threats to web applications are continuously changing due to advances in the techniques and technologies used by cyber criminals, as well as the proliferation of new devices with the unknown security vulnerabilities. This paper discusses the current state of web application security, the techniques and technologies for addressing web application challenges and procedures for validating the security of the web applications of the enterprise.
Current State of Web Application Security
Threats or vulnerabilities specific to a web application has been dictating the technology and measures used for its protection. Figure 1 presents some of the points within an enterprise system that needs protection. Typically, the best practice in such a scenario is to adopt generic countermeasures at the initial phase of software development life cycle (SDLC) to ensure that the technology suits the needs of a web application instead of adopting an approach that is used to oppose the latest threats (Gregory, 2015). In other words, prevention should be given priority in the information security strategy.
Figure 1. Web application security concerns (IBM, 2008).
The number of security threats and vulnerabilities in a web application will continue to grow as the number of Web application increases. Consequently, web application threats will continue to be the main source of security concerns for the enterprises (Vijayan, 2009). Cyber-attacks targeting the vulnerabilities in the web application will also continue to grow due to the proliferation of ubiquitous Internet-enabled handheld devices (Lee, 2012; Mookhey, 2010). The prevalence of BYOD (Bring Your Own Device) has also introduced more vulnerabilities that are being increasingly exploited by malicious entities to infiltrate e-commerce systems and cause damage (Ponemon Institute, 2013). The center of these security concerns is the fact that BYOD continues to introduce unexplored security flaws (Lee, 2012). Additionally, vendors of antivirus software, firewalls, intrusion detection systems and other information security mechanisms face the interoperability challenge (Vijayan, 2009).The rapid growth of e-commerce transaction is accompanied by an equivalent increase in the type and number of cyber-attacks against the most web applications. The majority of the attacks have exploited vulnerabilities that had been documented in the reusable third party software used by the e-commerce sites such as the shopping cart (Mookhey, 2010). Other cyber-attacks have exploited vulnerabilities that are prevalent in most web applications, including cross-site scripting and SQL injection.
Relevant Issues to Consider
In the course of this research, several themes related to the topic emerged in the headings of various articles and reports about web application security. The most relevant include the need for an advanced architecture, mobile application security, incident response, and addressing advanced attacks (Said, Romadi, & Bounabat, 2015). Web security architecture requirements are changing rapidly. Essentially, web application security will entail an automated system for detection and response. The need for the adaptive web application security systems has triggered a research and development among vendors, as they strive to improve their market reach and share. In that context, some of the vendors are transforming into investors offering financial support to the startups (WhiteHat Security, 2013). For example, the acquisition of Mandiant by FireEye Inc. is the strategic move to improve the development of the adaptive security architecture (“FireEye adaptive defense,” n.d.). In line with these steps, it is essential for the company to collaborate with other industry players to develop a proper adaptive security infrastructure.
The other evident theme concerns mobile security. The prevalence of mobile devices that have an internet functionality increases the traffic on e-commerce sites from the handled devices more than ever. In other words, BYOD and mobile devices should be an area of concern for the company (“Cybercrime,” n.d.). As mentioned above, these devices present numerous security vulnerabilities in the sense that they still have loopholes that are yet to be identified. To succeed, the company should evaluate the security of the applications used to access the corporate site and e-commerce website automatically submitting applications for testing. Evaluation can also be achieved by testing application behavior and source code. Additionally, the company should evaluate the mobile application by testing and validating communications between the unknown applications and web services (Shoemaker, & Conklin, 2012). Furthermore, the company must integrate and correlate protection and detection technologies (Paganini, 2015). Most importantly, the company should use scores to establish the application reputation and risks.
Under the security framework of detecting and responding to threats, it is important to consider security incident response (IR). Due to the lack of a standardized approach to IR, it is vital for the company to create a customized IR from leading and effective industry practices (“Cybercrime,” n.d.). Apart from the IR, the other theme that should be considered with scrupulous attention entails responding to the advanced attacks (WhiteHat Security, 2013). Addressing advanced threats requires equivalent technology, expertise, and funds. The present day IT security landscape has become more sophisticated than ever and is marked by the aggressive, organized and funded infiltrations. Cybercrimes are continuously evolving from simple website defacements to stealth attacks, including advanced volatile and advanced persistent threats (Paganini, 2015). According to Symantec (n.d.), cyber-attacks targeting web applications have grown rapidly and more extensively than a decade ago. Some of the measures that can be used to respond to the advanced attacks include network and endpoint forensics, payload and network traffic analysis, as well as endpoint behavior analysis.
Technologies and Techniques for Mitigating Web Application Security Challenges
Threat modeling is an approach building security defenses in an application during software design. This approach is chosen because it envisions potential security threats on the web application and develops countermeasures or defenses to prevent the identified attacks (Nahari, & Krutz, 2011). The technologies and techniques discussed are chosen because they are founded on the tenets of threat modelling while referring to the “OWASP Top 10 Web application attacks” (OWASP, 2013). Figure 2 presents the techniques and technologies that will be used to address web application security challenges of the enterprise.
Figure 2. Securing a 3-tiered web application (Lebanidze, n.d.).
As depicted in Figure 2, the key technologies and techniques for addressing web security challenges include input validation, encryption, output encoding, authentication, authorization, and parameterized command calls (Lebanidze, n.d.). Data validation and coding measures can provide considerable benefits during the construction and elaboration phases of web application development and delivery cycle. Data validation is also given priority because it assesses the XSS, SQL injections and insecure direct object reference categories of attacks. By improving the authorization, authentication and configuration management of the application, the company will be able to address various security concerns during the same phases (Sullivan, & Liu, 2012). Table 1 summarizes the activities in the elaboration and development phases that are in line with the addressed security concerns.
Table 1 Technologies and Techniques for Mitigating Web Application Security Challenges
Auditing and logging, exception management and session protection can also improve the security of the web applications. The other important security consideration that should be given priority is sensitive data protection. The most common fundamental technique for addressing sensitive data exposure, session management, and broken authentication is encryption (OWASP, 2013). These can be achieved by using SSL to encrypt the contents of the authentication cookies. In other words, the developers must identify secured mechanisms for transmitting data across a network. In the same context, the developer must avoid storing sensitive data within the application code (Nahari, & Krutz, 2011). Additionally, sensitive information including passwords, keys, and database connection information must never be stored in plain text. Thus, testing security throughout the web application lifecycle to discover and fix vulnerabilities proactively, the company can avoid the cost of mitigating some of the preventable security challenges.
Internal Security Practices and Procedures for Testing or Validating the Security of the Web Applications
Standardized web application security testing techniques, including reference implementations, standard data, test cases, test procedures, test scripts, metrics, and reference implementations both automated and manual will provide the empirical foundation for the proposed internal security and procedures for the validation of the company’s web applications. Although there are various standards for web application security documentation, as well as various validation and verification stages and activities, there is a lack of a universal standardized procedure or test technology available for the commercial web applications (IBM, 2008). Therefore, the proposed practices and procedures are based on the industry-proven effective validation tests and guidelines. The approach is based on the observation that present-day cyber security mechanisms must be deeply integrated, flexible, and agile (“FireEye adaptive defense,” n.d.). For this reason, the practices and procedure must present a comprehensive view of security threats to prevent potential attacks and avert their detrimental impacts.
To address the security concerns regarding the web applications, the company should employ the practices that will reduce the risks of the unnecessary problem mitigation
Increase security awareness
This practice entails communication, training, and monitoring activities along with the recommendations provided by a security consultant. Managers, web developers, analysts, and quality assurance experts should undergo annual training (Ponemon Institute, 2013). In such a way, it will be possible to create certain awareness of the issue as the training will enable to describe the emergent attacks.
Categorizing web application risks and severity
In recognition that the company has limited resources, security priorities can be set by defining security risk thresholds and highlighting when application services will be terminated. Additionally, web applications can be grouped by risk factors, such as intranet against extranet applications (Shoemaker, & Conklin, 2012). The company should also generate continuous risk reports from security scans.
Zero-tolerance enforcement policy
A well-defined web application security policy will reduce the risk of deploying a non-compliant or vulnerable web application. In that regard, the developers will determine the tests that the web application must pass before it is deployed (Sullivan, & Liu, 2012). The identified test must also be communicated to all team members (IBM, 2008). Additionally, design specifications and requirements for security aspects must be reviewed during inception so that it is done before the actual coding begins. Relevant executive-level approval should only allow exceptions during the design phase.
Integrating security validation into the web application development and delivery phases. The company will have a considerable positive effect on the design, coding, and testing of the web application through the integration of security validation in its lifecycle. In this context, the development team must include event-driven testing (Figure 3); permit audit testing during production; run system, unit and application-level tests; apply agile software development technologies; and employ automated tools that can scan vulnerabilities at any phase of the application development and delivery.
Processes and Procedures
To help prevent costly fixes, the company developers should integrate application security testing measures shown in Figure 3 into the application development and delivery phases, alongside with the quality control measures.
Figure 3. Testing the security of an enterprise web application (IBM, 2008).
At the inception stage, the company will use the requirements presented in Table 2 to address various web application security concerns.
Table 2 Defining Security Requirements in the Inception Phase
The existing security mechanisms are significant to the overall cyber security strategy of a company.
Additionally, implementing a certain web application security approach at the onset of the development cycle creates more secure applications than those that adopt security practices and procedures in the later stages of software development. For this reason, it is crucial to test, verify, and validate the web application security mechanisms of the enterprise to ensure that they are effective. In the same line, it is important to perform security scans continuously because the cyber threat landscape continues to evolve with the advancement in technologies.