When it comes to securing Web sites and applications, many people rely on network-based controls to, presumably, keep everything in check. Be it next-generation firewalls, intrusion prevention systems, or dedicated WAFs, the assumption is that everything is safe and sound at the Web layer as long as one of these controls is in place. Based on the Web security vulnerabilities that I see in my work, I’m not convinced that it’s all that simple.
Now, I will say, I’m all about using what you’ve got to maximize the effectiveness of your overall information security program. Why procure more technologies or reinvent the wheel when you can leverage what you’ve already paid for and have at your disposal? The thing is, when it comes to Web security vulnerabilities, you have to understand what your risk tolerance is. In order to understand your risk tolerance, you have to actually acknowledge the risks that are present in your Web environment. I think it’s safe to say that half of the businesses out there have yet to do that. Furthermore, it’s probably safe to say that most businesses have not done everything they can to seek out Web-related flaws that are creating business risks.
That’s where the trouble starts and why you have to be careful when deploying network security controls to protect Layer 7. Here are some common Web security flaws that I come across in practically every Web security assessment that I perform including:
I may be wrong – I often am – I just can’t think of any reasonable network layer security control that’s going to effectively detect and mitigate any of these Web flaws – flaws that can be used to further penetrate the network environment. Perhaps some highly-tweaked WAF rules could help but how long is it going to take to fine-tune your security controls to that level? There’s no doubt that Web security vulnerabilities such as cross-site scripting and SQL injection can be detected and blocked by such controls. After all, they are some of the most common and dangerous Web security vulnerabilities. But it’s the small stuff like I listed above, added together over time, that can create big security issues. This is why I don’t believe you can solely rely on traditional network security measures to lock down your Web environment.
My point of all of this is that IT has evolved and continues to do so. You absolutely have to think outside the box and look at information security from a holistic perspective if you’re going to find and fix everything that matters on your network. Get together with other teams. Get management involved. Understand the impact that all network systems have on the business and understand your security risks across the board. Anything short of that is simply not enough.
Receive notifications of new posts by email.