Web Application Security is a Stack

Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely

Lori Mac Vittie
Copyright Date: 2015
Published by: IT Governance Publishing
Pages: 71
  • Cite this Item
  • Book Info
    Web Application Security is a Stack
    Book Description:

    The web application stack - a growing threat vectorUnderstand the threat and learn how to defend your organisation

    This book is intended for application developers, system administrators and operators, as well as networking professionals who need a comprehensive top-level view of web application security in order to better defend and protect both the 'web' and the 'application' against potential attacks. This book examines the most common, fundamental attack vectors and shows readers the defence techniques used to combat them.

    ContentsIntroductionAttack SurfaceThreat VectorsThreat MitigationConclusionAbout the Author

    Lori MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organisations , in addition to network and systems administration expertise. Prior to joining F5, Lori was an award-winning technology editor at Network Computing Magazine. She holds a BS in information and computing science from the University of Wisconsin at Green Bay, and an MS in computer science from Nova Southeastern University. She is technical editor and member of the steering committee for CloudNOW, a non-profit consortium of the leading women in Cloud computing.

    eISBN: 978-1-84928-705-0
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
    (pp. 5-5)
    (pp. 6-6)
  4. Table of Contents
    (pp. 7-7)
    (pp. 8-12)

    In 2011 an exploit taking advantage of a vulnerability in the Apache web server rapidly circulated across the Internet. Apache, at the time, was used by more than 65% of websites, according to Netcraft, so this was a serious issue which required immediate remediation. The exploit took advantage of a little-known vulnerability in the way Apache handled two HTTP headers. Exploitation of this vulnerability resulted in, as described by CVE-2011-3192, “very significant memory and CPU usage on the server”, resulting in a distributed denial-of-service attack (DDoS) through resource exhaustion.

    In late 2013, a highly complex DDoS attack¹ on a prominent...

    (pp. 13-28)

    Web application security tends to be viewed as the purview of developers. It is, after all, about the application, and thus much of the focus on protecting against attacks falls to application developers. The OWASP Top 10, for example, focuses primarily on the methods used by attackers to manipulate application data to gain system access, execute remote commands and generally extract data beyond security controls that may be in place. These attacks target the data exchanged between a client and the application, taking advantage of vulnerabilities in parsing and lax security practices in input validation.

    But a web application can...

    (pp. 29-47)

    As we have seen, there are a wide variety of ways in which attackers can exploit web applications. Many of the available attack surfaces provide miscreants with the ability to carry out several different types of attacks. Attackers, it turns out, are not all motivated by the same end goals. Some attack for profit, others for fun, others for revenge, and some are in the business of collecting end-user systems that can later be rented out to attackers for nefarious purposes.

    The end goal of the attackers – the human part of the equation – is outside the scope of this book....

    (pp. 48-65)

    Mitigating threats across the web application stack requires consideration of the primary threat vectors through which web applications are attacked. This is made more difficult by the reality that not all attackers are human; attacks are often carried out by compromised devices that have fallen prey to malware. Careful consideration of all interaction with users is necessary, including attempting to distinguish between bots, spiders and human beings.

    There are three logical points at which it makes sense to apply application security policies. Each provides the means to apply a different approach to mitigating potential attacks, based on the state of...

    (pp. 66-66)

    Web application security is a stack of attack surfaces and defensive mitigating solutions. It is not enough to protect web applications with only one technique, or at only one layer of the stack. Vulnerabilities in the platform, or in protocols, such as TCP or HTTP, are just as devastating to the security and availability of applications as attacks against the application itself.

    A full stack of mitigating solutions is necessary to realise a positive web application security posture. It is important to note that a comprehensive approach requires collaboration across network, security, operations and development teams, as each has a...

    (pp. 67-71)