Web 2.0 Security Part 5: Strategies to CUT RISK
Over the past few weeks we've examined the issues inherent with Web 2.0 and in particular AJAX-based applications. These issues need to be dealt with, but they should not be considered "show stoppers" to moving ahead with your Web 2.0 initiative. Consider the security ramifications of the design, implementation, and deployment of your new application carefully. Build security into your new application up front and you'll certainly be able to decrease the potential risks associated with this growing technology.
Consider the following methods to CUT the RISK associated with deploying Web 2.0 applications:
•Check VA tools for AJAX support. Validate that the assessment and test tools you use to verify the security of your applications are capable of:
- Interpreting and evaluating dynamic URLs from JavaScript
- Creating (or capturing at a minimum) requests in the appropriate markup languages
- JSON, XML, D/HTML
•Understand the application. Document and examine regularly:
- Scripts associated with the application
- Data sources accessed
- Access patterns
- Cookies used
•Trust no client. Implement policies that assumes the request is coming from an attacker
- Validate input
- Validate request
- Validate client
•Reduce the number of scripts. If possible, reduce the number of scripts/applications to reduce the entry points through which attackers can gain entry/access to the application
•Invest in a web application firewall. Web Application Firewalls mediate between client and server and provide:
- Application security through request verification
- Client security through response verification
- Not a panacea, but a first line of defense
- Cannot stop logic layer attacks
•Secure sensitive data using SSL.
- SSL for transport layer encryption
- Cookie encryption
•Kick back suspicious data. Data Integrity should be validated on both request and response
- Stop sensitive data from leaving the organization
- Stop malicious data and code from entering the organization
- Choose from one or more options: code (custom), software, hardware
Imbibing: Coffee