ii) Web Apps Security Solutions
What is Web Application Security?
Web application security is the science of securing web and mobile applications from potential security threats that can cause wide variety of breaches, frauds and application downtime.
The information science of preventing internet and web-services based portals and applications from such security loopholes in called web application security.
What are the threats to Web Application Security?
There are various kinds of threats to web applications and these can exist at various levels. To name a few, we have:
• Client side attacks – Cross-Site Request Forgery (CSRF), SQL Injection, XSS – Cross site scripting vulnerability, phishing and all sorts of malware
• Backend/ database attacks – data theft and data loss
• Network based attacks – TLS/SSL based Man in the middle attacks, stealing of password and protective data, Dos, DDos, site scraping
• Application level attacks and loopholes – buffer overflow, memory corruption, remote file includes, code execution of malicious code not written by the app.
• Social engineering attacks – predicting passwords and atm pins on basis of social sharing of data and chat/message exchange.
Besides this, any web application, no matter how secure always faces the threat of spammers and bots which can send large amounts of unsolicited traffic to a site thereby causing huge downtime.
Why do you need Web Application Security?
Web and mobile applications have become highly interactive. Besides just reading static data, we add and update a lot of content on the web. We maintain our social identities and interact with friends and family. We store our personal information on various sites. We query various databases, do financial transactions and even make payments on the web. This all is very convenient but we must know that if the underlying web or mobile application is not secure, then we run into many risks. Web application security helps protect us from the following negative consequences:
• Data Loss and Data Theft like passwords, personal details, bank details
• Mis-Representation of personal information and Identity theft
• Disrupted access
• All kinds of Frauds which also have financial implications
• Loss of credit card data and net banking data
• Account hijacking
• System hijacking and email infiltration
Hackers and spammers can also release bots and all sorts of malware on our sites which can cause our applications to go down, hog all network and cpu cycles and prevent real users from accessing the site.
What are the Web Application Security Standards?
The two major security standards are as follows:
• OWASP – The Open web application security project
• WASC – The Web Application Security Consortium
How Brain Tag will help to secure a Web Application?
What we do?
At Brain Tag we help build secure mobile and web applications. Our tech leads, software developers, QA (software quality assurance) testers and system administrators are inherently trained and brain washed to keep security in mind when designing, coding, testing and deploying software. Security runs in our core architecture designing philosophies, and we maintain a checklist of core security related guidelines and tests which must pass in all our software.
Architect -> Code -> Deploy (RELEASE MGMT.)
1. We design and architect core systems from the ground up with security in mind.
2. During coding and implementation phase – we keep a close watch, do regular code reviews and check for flawed code that can lead to application level security flaws (like buffer overflows, null pointers etc.)
3. We propose a deployment architecture along with all server configurations which are secure from network and transportation perspectives.
4. We propose a release management process where code is regularly put through security testing so flaws get identified at regular intervals. The mantra is plan, develop, release frequently.
With these techniques, we are able to prevent all of the threats as mentioned above.
If your application is facing security problems and is running into security loopholes or threats, then we can also help by providing a top down approach to monitoring, controlling, securing, and optimizing the application. We will use our highly-accurate and advanced testing capabilities to do the following:
1. Do feasibility analysis for a particular set of security attacks
2. Identifying high-risk vulnerabilities
3. Identify flaws in coding and deployment infrastructure
4. Assess magnitude of potential business and operational impact
5. Provide Quick remedies with prioritized results and fixit recommendations
6. Generate reports with quick actionable date
7. Verify the fixes
How Brain Tag will support Web App Security
We support web security in all aspects of development of a web application like core design, core application logic, backed and database, web services, network layers, launch hardware and deployment. Whatever the technology JSON (such as JQuery), REST, AJAX, Flash, HTML5, CSS, XML-RPC, SOAP etc. used in web application design with PHP, PYTHON, JAVA, .NET, RUBY etc., we ensure web applications security in complete application workflows.
a. Selection of technologies
• i. We only advocate usage of secure libraries, secure API’s and secure web services which are well unit tested and which comply with all regulatory requirements.
• ii. While evaluating 3rd party frameworks or open source tools, we check available release notes and security threats if any.
• iv. Themes for wordpress, Drupal etc. CMS systems are always not all SSL or security friendly.
b. Low Level Database structure and setup - To name a few and to cite some examples, we test for the following:
• i. Secure database access – ACL’s for various tables along with proper privilege levels need to be set. Permission based views must be defined along with Role based authentication.
• ii. Encryption of data stored in DB must be considered for high profile data like passwords etc.
• iii. Unauthorized connections to databases must be restricted using IP security policies – communication channels should be secure
• iv. Plan for database backups and recovery at regular intervals
c. Core architecture and Policies - We set guidelines and how-to’s for various policies which eventually form the core backbones of security. The decisions taken with regards to these policies are very crucial. To name a few, security gets affected by how you code and account for the following:
• Input Validation – failure to sanitize input to and from application
• Configuration Management
• Sensitive Data
• Cryptography and encryption – strength of the algorithms and hash functions
• Parameter Manipulation
• Exception Management
• Auditing and Logging
d. Coding Guidelines and Best Practices – Getting into low level code and doing code review is a must. The following are typical security loopholes we detect in underlying code: dead stores, memory leaks, null pointer deref, ncorrect pointer values, illegal array indices, bad function arguments, type mismatches, uninitialized variables, string expansion errors, option insertion errors, sql injection, CSRF, XSS etc.
e. Deployment and Cloud Computing – At Brain Tag we focus on detail so that we may avoid errors in setup, configuration and linking of your network with various servers and databases, firewalls etc. To name a few and to cite some examples, we test for the following:
• i. Make sure to update your server and operating system with latest service packs and software patches
• ii. Make sure that only the services that you require are enabled.
• iii. Non required ports should be closed. Disable FTP, telnet, SMTP, NNTP is not being used
• iv. Change default admin accounts, enforce strong password policies, remove unused LDAP user accounts,
• v. Use valid strong SSL certificates
• vi. Control read/write access to web code directories
f. Release Management Cycle – Plan, develop and release frequently and with each release run security tests. Iterative testing and fixing is preferred over testing at project completion at the very end.
What technology and tools do we use?
At Brain Tag, we use various tools to identify security pitfalls. No single tool is enough or complete by itself. We adopt a hybrid approach where-in we adopt a mix of many tools listed below to do a 100% security analysis on an application.
• a. Internal tools which allow us to simulate security threat generate attack payloads and break websites. >> We optimize and enhance security in apps till we can’t break them ourselves.
• b. Web security scanners that can detect various vulnerabilities like w3ap, skipfish
• c. Penetration testing tools like metaspoilt, nmap
• e. Fuzzing – Injecting semi-random data into a program/stack to detect bugs with tools like jBroFuzz
What Standards do we follow?
At Brain Tag we follow the OWasp Top 10 which describes in detail some of the most common attacks on web based applications. We also keep in regular update with the Web Hacking Incident Database so we know which tools to avoid using. We also follow the latest open source best practices document on web application security.
This is all in addition to latest security on the web guidelines released by Microsoft and Google.
Testing for hidden issues?
Information security professionals and hackers alike often use social science for manipulation. They are able to inadvertently convince and gain confidence of end users into providing certain key pieces of information which is then used to initiate security threats. This is most obvious reason for leaks but also the most neglected.
Do you store passwords in files on your computers? Do you use common data like name, date of birth, city of birth, favourite pet’s name etc. for your pin and passwords. It is a habitual aspect which must be fixed.
Techniques like tailgating, bailing, pretexting are common means of social engineering that cause security breaches.
Phishing where you send an email or make a phone call that appears to be legitimate – the user clicks on a link in an email which looks real and ends up submitting all information to the attacker.
At Brain Tag, we avoid such hidden issues by ensuring that:
• Our employees are trained on how to handle sensitive information.
• We establish security protocols, policies and procedures for handling the right amount of information at the right level.
• We offer training to our clients on the same as their CTO.
Security is not a one time check. Post deployment of your application, you must run it through a battery of web application security tests at regular intervals.
If you site undergoes continuous releases and feature enhancements or bug fixes, it is important to follow the security test runs with each deployment.
At Brain Tag we provide an EED (engineering eye for detail) service wherein we will audit and assess your application for security pitfalls at regular intervals and code in the necessary fixes.