This page contains a Flash digital edition of a book.
how to guide: secure web apps


observe secure coding principles and best practices. In the early days of the web, security was often neglected by developers, but this is getting better as awareness improves. However, even the most security-conscious


of organisations can suffer from vulnerabilities in their web application code.


Technical measures There are various technical measures that can help identify and address vulnerabilities in web applications. One example is source code analysis software, which looks for known flaws in the underlying code of a website. However, some websites rely on third-party code that cannot be accessed. Another is to use a web application scanner,


which automates security testing to identify potential weak points. This can be used to test third-party code, but while web application scanners will pick up a lot of the most common vulnerabilities, they are not infallible. A third approach is to use a


web application firewall (WAF). This is a system that sits between the network firewall and the web server, analysing all the application traffic that comes through to the web application. WAFs work in two ways – negatively and


preloaded blacklists and profiles for particular web application platforms, such as Microsoft’s SharePoint or Oracle applications. However, the negative approach requires that the malicious behaviour has already been identified. The positive approach, by contrast, involves a ‘whitelist’ of approved behaviour patterns. Any incoming traffic that deviates from this whitelist is automatically blocked. Of course, what constitutes normal,


Using a WAF means that threatening behaviours can be blocked immediately


approved behaviour is relative to every individual site, so a WAF needs time to analyse traffic in order to build the whitelist, and it may require more work to set up. One advantage of doing this is that when a ‘zero day’ vulnerability emerges (i.e. one that has only just been identified) the chances are that the associated behaviour will already be blocked. The most effective way to secure web applications is to use a combination of all these methods. Some WAFs use both positive and negative approaches, while some web application security scanners can export their findings in such a way that can be uploaded to the WAF to immediately plug vulnerabilities as they arise. And while most software


positively. The negative approach involves comparing incoming traffic against a blacklist of known malicious behaviour patterns. This is quick to set up, as many WAFs come with


12 www.information-age.com


developers will want to fix any vulnerability in code they have written, heavy workloads mean that they cannot always do that straight away. Using a WAF means threatening behaviours can be blocked immediately, giving developers time to address the underlying issue.


www.f5.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20