Hyperguarding your Web Applications

Posts Tagged ‘Web Application’

Strong Passwords for Developers

Posted by hyperguard on May 13, 2010

Came across a new blog this week—EthicalHack.co.uk that we wanted to share with our readers.   It is written by Vishal Garg, and dedicated to application (hacking) security.  A great read, and definitely worth following.

That being said, we wanted to highlight Vishal’s latest post on web application designers and developers choosing strong passwords for web applications.  This topic is usually discussed from the end user’s point of view—not from the developers—and all too many times weak passwords are being implemented.  This in turn requires end users to choose strong passwords, which they tend to be faulty of.  Vishal provides four helpful tips to consider when implementing strong password policies within web applications:

1. Password Complexity

A strong password should contain characters from at least three of the following four categories (although implementing all four would be even better):

  • Upper case letters (A through Z)
  • Lower case letters (a through z)
  • Numbers (0 through 9)
  • Non-alphanumeric characters (e.g. !”£$%^&*@#?+ etc.)

2. Password Uniqueness

A strong password should enforce uniqueness of characters—avoid character repetition, number and character sequences, full or part of the password that is the same as the user name or common dictionary words.

3. Password Length

Password length is directly proportion to the amount of time required to crack the password.  Although the optimum length to hinder most password cracking attempts is considered to be more than 14 characters, but implementing a policy that requires minimum eight characters along with above requirements would still be sufficient to stop most of the attacks.

4. Password Aging and Expiry

Password aging and expiry may be considered for high profile web sites.  But this requirement needs to be considered very carefully.  If implemented poorly, this may prove to be counterproductive; e.g. asking users to change passwords very frequently may prompt them to choose weak passwords (e.g. Password1 – a password meeting first three complexity requirements, but still considered a weak password), or to write their password somewhere.  If considered carefully, strong password implementation policies would prevent users from choosing weak passwords and help prevent compromise of user accounts through brute force attacks.

Posted in Post | Tagged: , , | Leave a Comment »

SANS: “60% of Attack Activity Directed to Hack Web Sites” (!) Yikes.

Posted by hyperguard on September 17, 2009

Earlier this month, SANS Institute issued a new biannual report with some scary statistics about web applications. If you don’t have time to sift through the entire report (it’s worth a the time if you can), basically OS attacks are down, application threats are up and web applications (such as websites) are way up – 60% of the total activity according to Rohit Dhamankar of TippingPoint’s DVLabs. Mr. Dhamankar’s company provided a lot of the data for the SANS report. Here’s an excerpt for the report:

“Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.”

Think about cloud computing after reading what SANS has found and realize cloud applications are subjected even further to this problem. Those in the industry have known this to be the case for a long time so it’s good to see SANS making headlines with the actual data!  Hopefully the New York Times coverage helps shed much needed light on this issue.

Posted in Post | Tagged: , , | Leave a Comment »

Reaction to SearchSOA.com: Common WebAppSec exploits

Posted by hyperguard on September 17, 2009

Great article on the 16th from SearchSOA.com by Rob Barry. He interviews a developer at Mozilla Labs – Joe Walker – about a few of the OWASP Top 10 and how to develop around them. Walker’s focus as a developer is on creating / patching / managing security threats to apps. What’s missing from Barry’s article, however, is the incredible pain this approach causes companies right now.

Refactoring code once it’s in use (particularly WebApps and cloud services) is incredibly expensive, time consuming and difficult. Source code scanners play a role in easing some of this pain, although web application firewalls (WAF’s) are a much more practical fix, AND, linking the scanner software directly with the WAF cuts down the need for application downtime.

If done right, the scanner detects software vulnerabilities and feeds any findings directly into the WAF. For our distributed WAF (dWAF) solution, hyperguard, all security lapses identified by a scanner are immediately presented to the administrator through dynamic ruleset suggestions. Conflicting dWAF rulesets, which may leave holes in web application shielding, are prevented. In plain English, this means that development, testing and deployment of new application security policies can happen in real-time without ever relaxing the established defenses or risking false positives. ‘Patches’ are applied through the dWAF until regular maintenance cycles can be scheduled to refactor the actual application code.

Posted in Post | Tagged: , , , , | Leave a Comment »

Cloud Applications are Highly Exposed to Threats

Posted by hyperguard on August 5, 2009

Accessing cloud technologies requires a thin-client, and the world’s most commonly used thin-client for this purpose is a web browser. This means the vast majority of all applications on the Internet have some kind of web and / or application server on which the business logic is implemented. Currently, most of the money spent on security goes into firewalls and antivirus solutions, but in the last 10 years the typical target for attacks has shifted from the network layer to the application layer because the operating systems and services available to the general public were cut down. As a result, it is now easier to target the application logic or framework of an application than the actual server behind the hardened network perimeter. Applications are mostly developed by the businesses themselves and not every developer considers security the highest priority, which leads to a wide variety of problems.

The IBM X-Force® 2008 Annual Report highlights that web application vulnerabilities are the Achilles’ Heel for corporate IT security. The impact of not being able to secure these vulnerabilities is far reaching.

Stay tuned for thoughts and details on this topic.

Cumulative Count of Web Application Vulnerabilities

Vulnerabilities Consequences as a Percentage

Images 1 & 2: Cumulative Count & Vulnerability Consequences – source IBM X-Force®

Posted in Post | Tagged: , , | Leave a Comment »