Secure Dose

Tuesday, 2 June 2015

Secure Web Application Part - I


Introduction:

There are so awesome web developers with new idea's, new initiatives and startups. They sometimes fail what they claim. They claim to secure the files and have pretty good privacy features.There is always a need to have a security check simultaneously so that no re-engineering is required to implement necessary securities measures.The article is specifically for newbies, developers and security guys to have a check list or note while they develop or test a web application.Today we will be talking about how a secured web architecture and some security checks you must know, what are the things to be taken care of and what all things to implement, server side and at application-level.


A head start:

Typical Web Application Working:
So 1st of all we must know how a normal application exists and how it actually works along side with the server.An Application is firstly hosted on a web server or an application server. There is a difference. The web server accepts the request and accordingly responds. We have clients which we consider a web "browser" because these are used to send request to a website or a web application to access the feature provided by it. So we have browser as our client which connects to the internet (1) and then to the web server.That is the 1st request and with that css and other UI modules are loaded (2a)(2b). 




Now the web server interacts (3) with the web application server having web applications and processing stuff where it works and loads modules to provide feature to the client request along with that many times a database is needed so it also sends the request to the database server (4) and the data. Application server receives the data from the database and then it is again used in the response for the client as (5) with all the reverse process.

This is the working of web application which is very important to know to secure it.


What makes these web application vulnerable?
For most of the web developers, they configure SSL , Firewall, and Host Security to secure their web application. The case is mostly here in India but that should not be the case. These things only secure network and host but not the web application.
The reason why applications are vuln is:
  • Awareness at the 1st point.
  • Security testing session late in the Development Life Cycle.
  • Bad configurations.
  • Logical Issue's.
  • Leakage of valuable information.
  • Services running which are not in use.
  • Not changing default username and password
  • Revealing information on error such as stack traces.
  • Guessing user id and gaining direct access to the account and many other..
These are some of the common things to be taken care of which leads to compromise a web application. Lets further talk about the secured web.


A Secured web application:
A secured web application working consist of many parameters like validation both server side and at application-level, url manipulation, authorization, authentication, differing user level access and administration level access, encryption, securing sensitive data etc..
Here lets study about a secured web architecture that how a secure application should look like theoretically.

An application should have a WAF(Web Application Firewall) to prevent url manipulation(Not allowing special characters), protecting secure data and files(Restricting to access the directory), preventing session hijacking and replay attacks, etc.. waf's like mod_security,naxi, ironbee, csf and few more along with HAProxy for load balancing be configured to protect it as the 1st step.

Next is security to implement on web server like validating the user inputs, providing secure communication(SSL), native security configs, handling http error codes and other exceptions. 


On an application server logging activities and fails, authenticating and authorizing the requesting users identities, preventing the data and filtering the user inputs here. 
Having a daily track on auditing the logs is a very good practices to check out the fail attempts or any kind of server issues or finding a user behaving unexpectedly and possible malicious user.
Database needs to store sensitive information like passwords, cvv, etc. They can be stored with md5 hash and SHA etc.

Conclusion:
Analyzing and reviewing application at the initial level while development becomes efficient because later re-engineering may required.
Secured web application when applied help reducing a certain level of risk. 
If the application is already built, it will still help to fix the vulnerabilities and mind security in future design. 

Read out the 2nd Part..

Secure Dose

Author & Editor

The Blog is completly related to websec and sometimes other branches of Information Security. It focus on theory and practical both with some resource section provided where I share my presentation pdf where I recently give my talk. Have a good read and suggestions are always welcome.

0 comments:

Post a Comment

 
biz.