I was heavily involved in Webapps pen testing & hardening in the past so thought to share some practical tips which Web developers may find useful specially when developing public facing Webapps.
Believe it or not looking at the OSI model (Physical, Data link, Network, Transport, Session, Presentation & Application layers) a whopping 80% of the current Internet vulnerabilities/exploits are targeting the Application layer this covers Webapps and others.
So how can you secure Webapps? Well, most organisations are using the OWASP top 10 (Open Web Application Security Project) as a guideline of which vulnerabilities to address and penetration test against. The OWASP top 10 highlights the top 10 exploited Webapps vulnerabilities (get the PDF here), how they are exploited and how to reduce the risk associated with them. So the first steps towards securing Webapps is to write secure code. OWASP provide tips related to Java and a secure coding cheat sheet , a must read for Web developers.
So is there any other tools/techniques that can be used to secure Webapps, I hear you say? Yes, there are WAS/WAF. That is Web Application Scanners & Web Application Firewalls.
Web Application Scanner (WAS)
These are applications that scan your Webapp when its offline or online and using a database of all known vulnerabilities hammer your application with potential hacks and provide a nice report on any vulnerabilities found. These tools are quite pricey, but they do a good job. They are like anti-virus software because their exploit signatures DB get updated regularly. You can get a trial version which does a limited number of checks, usually XSS and other vulnerabilities. Here are a couple of the commonly used ones:
- Acunetix Web Security Scanner (http://www.acunetix.com/)
- NStalker scanner (http://www.nstalker.com/)
Web Application Firewall (WAF)
WAF provides active defence for live Webapps, the most widely used WAF with the Apache server is the mod_security module (http://www.modsecurity.org/). It provides first class defence for Webapp by examining request/response data against a set of negative signatures.
Also one of the widely used Java security frameworks which is worth having a look at is Spring Security, its so comprehensive that it provides extensive security even at Java method invocation level!
Finally remember, there is no system that is 100% secure, and what is secure today could be insecure tomorrow so security is not just a one off task, it’s ongoing. You just do what you can to ensure the risk of exploits is minimized.