Merce

Web application security

Securing them Web apps

  • We have been active in the area of system security, without it being one of our lines of business. We have studied network firewalls and system vulnerabilities from the conceptual levels down to specific vulnerabilities. We have become convinced that the new vulnerabilities will be with Web applications.

  • Why Web apps? Those unfamiliar with security challenges and vulnerabilities imagine intruders to be mythical creatures with near-magical properties who break into your computer systems. In truth, intruders can only intrude into systems to the extent of vulnerabilities in them. And vulnerabilities in the core operating system and networking devices are dropping as product companies become more vigilant. The only area where vulnerabilities cannot be controlled is in Web applications. This is because

    • Business application developers are trained to write code, but not trained to write secure code.
    • Developer productivity is inversely proportional to the effort put in to audit code for security vulnerabilities, enforce best practices for secure coding, etc. Therefore there is a natural inclination among dev teams to skimp on security issues.
    • Vulnerabilities are not visible. Therefore customers cannot make intelligent choices between code with vulnerabilities and secure code. Therefore software services companies find it difficult to persuade customers to pay more for writing secure code. They can always win customers by demonstrating quicker development cycles.
    • Actual security exploits are sometimes not thoroughly investigated, therefore leaving obscure the role of insecure Web application code in allowing the exploit. This prevents customers from maturing with experience and demanding more secure software design practices.
    • Most of the valuable information stores which intruders will target are on servers with Web front-ends. This trend is increasing with the rising popularity of SaaS offerings. Therefore, Web application security is the primary focus of security exploits.

    It is in response to this critical threat that the OWASP community has been created. They are doing excellent work to spread awareness and best practices in this area and turn the spotlight on the need for greater security.

  • Our track record We have worked with some of the largest financial institutions in India, and software applications we have developed have been exposed to security intrusion attempts of all kinds. Our customers include the NSE whose NCFM testing and certification system has been a likely target of malpractices in the certification space. We have also built Internet-facing applications for the NSDL whose applications enable some of the key business operations in the capital markets and e-governance space and are used by millions of users.

    As part of this work, our code has been subjected to tight audits, both manual and tool-based. We have worked with our customers to satisfy such audits and incorporate best practices in the software design and development areas. In addition, we have an interest in this area and have proactively designed and built solutions for customers which enhance the security of their Web applications.

  • Web traffic forensics We have built a solution for one customer which acts as a digital equivalent of a closed-circuit TV at the entrance to a supermarket. The system records all details of all Web accesses hitting the customer's application portal, and then analyses this information to pull out suspicious behaviour, unexpected access patterns, etc. This system works completely independently of the Web application code, therefore no changes are needed to the application code. The forensics monitor also studies the history of behaviour patterns of individual users and tracks them, thus identifying unusual behaviour of a specific user. For instance, if a user always connects to the portal from locations in Mumbai, a sudden access for that user from United Arab Emirates or Ukraine will be tagged as unusual, possibly suspicious. We are not aware of any other system which can analyse and process Web traffic in this manner while remaining completely independent of the underlying Web application.

RELATED READING

  • The OWASP site

    Open Web Application Security Project, the foremost professional community for Web application security

  • Web traffic analyser: case study

    Web traffic analysis and forensics system we built for one customer

  • SANS

    Largest and most trusted resource for information security training