Strategies for Improving Web Application Security

7/29/2019 Strategies for Improving Web Application Security

1/13

Report ID: S6950513

reports

Strategies for Improving WebApplication SecurityWeb applications are fraught with risk, but for most companies, not having

them is not an option. Theyre just too important to customers and to the

business. In this Dark Reading report, we recommend some best practices

for balancing the needs of the business with security requirements. It

doesnt take special certification or a million dollars, but it does take

planning, time, and a smart combination of tools and best practices.

By Randy George

R e p o r t s . I n f o r m a t i o n W e e k . c o m M

Presented in conjunction with
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://www.darkingreading.com/http://reports.informationweek.com/index


2/13

Previous Next

reports

reports.informationweek.comCONTENTS

TABLE OF

3 Authors Bio

4 Executive Summary

5 Strategies for Improving Web Application

Security

5 Security Strategies

5 Figure 1: Biggest IT Security Challenges

6 Figure 2: Security Breaches Over Past Year

7 Network: Stash Servers in DMZ

7 Network: Double-Check Firewall Rules

7 Tools: Protection Out Front8 Applications: Harden Your Web Servers

8 Figure 3: Effectiveness of Security Practices

9 Tools: Make Frequent Use of Vulnerability

Scanners

9 Applications: Beware of Application Defaults

and Security Context

10 Process: Get Involved With Design Meetings

11 Process: The Security Team and the QA Team

Should Be a Close-Knit Group

13 Related Reports

S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i

ABOUT US

InformationWeek Reportsanalysts arm business

decision-makers with real-world perspective based

and quantitative research, business and technolog

planning tools, and adoption best practices gleane

experience.

OUR STAFF

Lorna Garey, content director; [email protected] Vallis, managing editor, research; heather

Elizabeth Chodak, copy chief; elizabeth.chodak@

Tara DeFilippo, associate art director;tara.defilipp

Find all of our reports at reports.informationweek.
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexmailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://reports.informationweek.com/indexhttp://reports.informationweek.com/indexmailto:[email protected]:[email protected]:[email protected]:[email protected]://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/index


3/13

Previous Next

2013 InformationWeek, Reproduction Prohibited

reports

reports.informationweek.com

S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i

Randy George has covered a wide range of network infrastructure and information

security topics in his four years as a regular InformationWeekand Network Comput-

ing contributor. He has 13 years of experience in enterprise IT and has spent the last

eight years working as a senior-level systems analyst and network engineer in the

professional sports industry. Randy holds various professional certifications from

Microsoft, Cisco and Check Point; a BS in computer engineering from Wentworth

Institute of Technology; and an MBA from the University of Massachusetts Isenberg

School of Management.

Randy George

InformationWeek Reports

Table of Contents

FollowFollowFollowFollow

Want More?

Never Miss

a Report!
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.facebook.com/pages/InformationWeek-Reports/149825495070501http://www.facebook.com/pages/InformationWeek-Reports/149825495070501https://twitter.com/#!/IW_Reportshttps://twitter.com/#!/IW_Reportshttps://twitter.com/#!/IW_Reportshttp://www.facebook.com/pages/InformationWeek-Reports/149825495070501http://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index


4/13

Previous Next

Web applications are the most frequent targets for online hackers partly because

they are your enterprises most visible points of entry and partly because they are notori-

ously fraught with vulnerabilities. At the same time, most enterprises must maintain a

Web presence in order to do business, so theres little choice about facing the risk. With

that in mind, we recommend best practices to focus on as your Web applications move

from development to production.


reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i

EXECUTIVE

SUMM

ARY

Table of Contents
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index


5/13

Because Web apps are so crucial to both the

internal and external operations of many

businesses today, their availability and secu-

rity are not only expected by customers but

demanded. To that end, its not uncommon

for an organization to spare no expense

when it comes to Web applications. The

importance of Web applications to a busi-

ness also puts tremendous pressure on secu-

rity pros because theres nothing more em-

barrassing than having a critical website or

Web application defaced, hacked or other-wise compromised. Unfortunately, in the race

to build applications that are fast and that

work, many businesses pressure developers

to put those concerns over the applications

security.

In this Dark Reading report, we make recom-

mendations for striking a balance among per-

formance, availability and security.

Security Strategies

Being proactive about Web application

security should be a top IT priority: When a

Web application is taken out, money is lost.

And for big-name businesses at least, its not

the financial loss that hurts the most; its the

loss to reputation. Protra

important Web application

customers and the CEO al

Previous Next

Which of the following are the biggest information or network security challenges facing your c

Biggest IT Security Challenges

Note: Three responses allowed

Base: 1,029 respondents in March 2013 and 946 in March 2012

Data: InformationWeek Strategic Security Survey of business technology and security professionals at organizations

2013 2012

E

nforcingsecuritypolicies

M

anagingthecomplexityofsecurity

C

ontrollinguseraccesstosystemsanddata

A

ssessingrisk

G

ettingmanagementbuy-in/adequatefunding

M

eetingregulatoryandindustrycompliancerequi

rements

S

preadinguserawareness

P

reventingdatabreachesfromo

utsideattackers

P

reventingdatatheftbyemployeesorotherinside

rs42%

39% 38%

52%

33%

22%

29%

25% 2

7%

22%

23%

21% 2

3%

24%

22%

11%

34%

2 0 %


Strategies for Improving Web Application Security

reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l iTable of Contents

Figure 1


6/13

fair, it doesnt matter whether an attack was

preventable IT will get the blame.

When CIOs and CFOs hear the word secu-

rity, they generally prepare themselves for

sticker shock. However, you dont

need to spend a ton of money to

harden your Web applications.

Winning the battle requires a

combination of security-related

best practices and tools.

You dont need a CISSP to make

your Web applications a more

difficult target, and you dontneed to spend a million dollars ei-

ther. But doing a good job at hard-

ening your Web apps does take

time, effort and some diplomacy

your concerns about security

may not be a priority in the eyes

of a project manager who needs

to get a product out the door

now. When it comes to making

your Web apps a difficult target,

you need to employ a combina-

tion of process, tools, optimiza-

tions and best practices. Generally speaking,

these strategies are network, application- or

process-related in nature.

Starting at the network layer, heres a short

list of best practices to ke

your Web applications m

ment, through quality a

production.

Previous Next

Which types of security breaches or espionage have occurred in your organization in the past year?

Security Breaches Over Past Year

Note: Multiple responses allowed

Base: 217 respondents in March 2013 and 183 in March 2012 experiencing a security breach within the past year

Data: InformationWeek Strategic Security Survey of business technology and security professionals at organizations with 100 or more e

2013 2012

Malware(i

.e.,

viruses,worms,botnets)

Phishing

Web/softwareapplicationsexploited

Theftofcomputersorstoragedevices

Operatingsystem

vulnerabilitiesattacked

Denialofservice

Database/content/datamanagementsystem

com

promise

Websitevandalizedorsitecontentmanipulated

Physicalbreak-i

n

Traffickinginillicitmaterials/illegaldata

Mobileapplicationsintrusion

69%

68%

5

3%

51

%

30%

27%

23%

28%

22%

21%

21%

18%

16%

21%

11%

7%

6%

9%

9%

9%

6% 8

%



Figure 2


7/13

Previous Next

Network: Stash Servers in DMZ

If youre a security pro, we apologize for stat-

ing the obvious with this best practice. How-

ever, not everyone is a security pro, and even

the best security pros get lazy sometimes.

Placing your Web servers in a DMZ wont

technically make your Web applications or

website more secure, but the practice will cer-

tainly help protect the rest of your infrastruc-

ture from attack if a Web server is successfully

compromised.

If you host your own website or Web appli-

cation, then your perimeter defenses are get-ting scanned all day long for vulnerabilities.

You cant stop an attacker from probing your

perimeter for open services, but you can cer-

tainly make it harder for an attacker to inflict

further damage should he or she successfully

compromise one of your Web ser vers. The

whole point of placing externally facing Web

servers in a DMZ is to box in an attacker and

limit the damage that can be done should a

server be compromised. For instance, if you

NAT incoming connections directly to Web

servers on your internal network, then a

hacker who successfully exploits an un-

patched vulnerability or uses SQL injection for

privilege escalation will pretty much have un-

fettered access to your internal network.

Network: Double-Check Firewall Rules

One of the quickest and easiest ways to

reduce the attack surface of your Web apps is

to make sure youre dropping all nonessential

ports inbound to your Web server farm. If

youre exposing a Web application, theres no

reason to allow RDP to your Web server; theres

no reason for allowing ICMP. Exposing addi-tional TCP/UDP services to a Web server may

be required for testing or troubleshooting, but,

beyond that, theres no reason to allow any in-

coming connection to your Web server other

than TCP 80 and/or 443. As a best practice, in-

spect your firewall rule base periodically for ir-

regularities, especially if you have several peo-

ple managing your corporate firewalls.

Tools: Protection Out Front

Web application firewalls arent typically

necessary if youre trying to protect an inter-

nal Web application, but

tions that have externally

and a lot of money to lose

WAF is highly recommend

Sure, a properly and ca

app wouldnt likely require

tion. But we know that W

sometimes be their own

not validating user-sup

theres nothing Web deve

a coding perspective to p

cation from a sustained d

tack. Further, while its easers for lazy code that exp

injection, sysadmins can b

not properly hardening an

server. When it comes r

doesnt matter whether a

troduced as a result of

point is that a Web app

adept at protecting an a

manner of attacks and ex

end of the day, preventin

of vulnerability is what ma

izations will need to decid

Tools and Strategies forFile-Level Data Protection

There is nothing in the enterprise

that warrants protection morethan data, but security pros all

too often focus more on perime-

ter security. This may be becauseit can be more challenging to

secure data, but once data is

locked down, any compromisesto the networks and servers that

transport and house it almost

dont matter. In this Dark Reading

report, we recommend severalways that security pros can effec-

tively ensure that data is kept

from prying eyes.

DownloadDownload


http://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://twimgs.com/darkreading/application-security/S6780313fileleveldata.pdfhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index


8/13

of not having a WAF (bu

and maintenance issues)

reward (apps that wont b

Applications: Harden Yo

A Web app built on a

exposes your organizatio

risk. Despite conventiona

your Web server on Linux i

doesnt necessarily make

And lighting up an Apach

ning on some flavor of L

you inherently more securunning Internet Informatio

dows. A poorly configure

ment is every bit as vuln

configured IIS deploymen

applies to the underlying O

Indeed, if you only hard

itself, and not the underly

not addressing the full ra

ties that may be used to a

plication. As important

nonessential protocols a

every bit as important t

Previous Next

1%

62%

5%

32%

1%

60%

7%

32%

1%

53%

8%

38%

1%

47%

8%

44%

1%

46%

10%

43%

1%

44%

13%

42%

2%

43%

11%

44%

2%

42%

11%

45%

2%

41%

10%

47%

1%

41%

12%

46%

2%

40%

12%

46%

2%

39%

11%

48%

1%

38%

14%

47%

1%

36%

14%

49%

2%

34%

13%

51%

3%

32%

17%

48%

4%

32%

17%

47%

3%

29%

20%

48%

3%

25%

26%

46%

Firewalls

Dataencryption

VPN

Gatewayantivirus/anti-malware

Endpointprotection(antivirus,anti-spyware)

Strongpasswords

Intrusionprevention/intrusiondetection

Vulnerabilityassessment/penetrationtesting

Webapplicationfirewalls

Emailsecurity/spamf

iltering

Identitymanagement

Wirelesssecurity

Patchmanagement

Datalossprevention

NAC

Securedevelopmentprocesses/sourcecodeauditing

Loganalysis/securityeventmanagement/secu

rityinformationmanagement

Portable-devicesecurity

Enduserawarenessprograms

Please rate the effectiveness of each of these security technologies or practices in protecting your organization frominternal or external security threats.

N ot e ffe cti ve at a ll M ar gi na ll y ef fe ct iv e S om ew ha t ef fe ct iv e Ve ry e ffe cti ve

Base: Respondents using each security technology or practice (varies)

Data: InformationWeek2013 Strategic Security Survey of 1,029 business technology and security professionals

at organizations with 100 or more employees, March 2013

R6820513/16

Effectiveness of Security Practices



Figure 3
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index


9/13

services that are not essential to the opera-

tion of your Web application.

For example, an out-of-the-box deployment

of Windows Server 2008 contains 50 running

services, while an out-of-the-box deployment

of Windows Server Core contains only 36 ser -

vices. While IIS will add a handful of services

to that list, by making just one small optimiza-

tion in the method used to deploy your Web

server, you are reducing the overall attack sur-

face of your Web app significantly. The same

optimizations can, of course, be made in the

Linux world (with a little more effort) in termsof the number of running processes that can

be disabled in an effort to harden the under-

lying OS that powers your Web apps. Taking

just a little time to remove unneeded services

from your server farm is one of the easiest and

quickest steps you can take to improve your

overall Web app security posture.

Tools: Make Frequent Use of Vulnerability

Scanners

No matter how strict your change control

procedures are, new vulnerabilities will come

into existence during the natural course of

business that are both in and out of your

control. Those vulnerabilities may be the re-

sult of firewall changes, they may be the re-

sult of an update to the Web application or

underlying OS, they may be the result of a

newly discovered zero-day threat, or they

may be the result of a misconfiguration by a

sysadmin.

The cause of a newly discovered vulnerabil-

ity is irrelevant because the most important

thing is that the security issue is discovered

and addressed. Unfortunately, you cant relyon a single security pro, or even a team of se-

curity pros, to discover every vulnerability that

exists in your Web application environment.

When a Web app is in production, the job of

discovering new vulnerabilities is best left to

automated tools that can proactively discover

and alert on potential security problems as

they occur.

Theres no substitute for a good vulnerabil-

ity scanner, and theres no excuse not to use

it because such scanners are cheap and easy

to deploy.

Applications: Beware of A

Defaults and Security Co

There are lots of things

network and OS perspecti

server at risk. But one of th

can do as a sysadmin is to

like IIS and simply leave it

is a monstrous task on its

need to be an IIS guru to m

plication a much more d

simply need to understand

cation server defaults co

risk, along with how to addHackers know IIS intima

that a default IIS site will

wwwroot (so dont put it th

plications run in applicat

used to isolate the apps

However, savvy hackers ha

default app pool runs u

Service account. The Netw

has more rights than you

application pool, so disabli

creating a new app pool se

count is another commo

Previous Next



Like This Report?

Rate It!Something we could do

better? Let us know.

RateRate
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.html?cid=rpt_like_linkS6950513http://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index


10/13

best practice. Hackers also know that, by de-

fault, an app pool runs under the iUSR_Host-

Name account. Hackers know that if they can

discover the host name of your Web server,

they can potentially lock out the iUser ac-

count and take down your Web server by

sending bogus authentication requests.

There are dozens if not hundreds of other

things that administrators could and should

do to effectively secure

IIS server (and Apache/

Tomcat), but suffice to

say that leaving certainWeb server defaults in

place is a major security

problem that can be relatively easily avoided.

Process: Get Involved With Design

Meetings

Technology cant solve every problem in the

security world, so diplomacy is needed.

Some developers will freely admit that se-

curity isnt a top priority when building an ap-

plication. Thats not to say that developers

dont care about security, but tight timelines

and resources may prevent them from mak-

ing security a focus. In other instances, a de-

veloper may lack the knowledge needed to

code an application securely.

For example, security pros know that SQL in-

jection is a risk when developers use dynamic

queries in Web applications without scrub-

bing user-supplied input. By asking a few

questions in a design meeting, you might dis-

cover that all of the developers in a room have

a preference for using dynamic queries be-

cause of their speed of execution. But by us-

ing stored procedures or parameterizedqueries, developers can prevent an attacker

from skewing the results of a query. If youre

not in the room to make the suggestion, then

youre in no position to influence critical de-

sign decisions that could make a tremendous

impact on the security of the final product.

Another issue that security pros should ad-

dress during the design phase is the method

of data validation that will be added to the

Web app. Failing to properly validate data

opens up a Web app to SQL injection and

cross-site scripting attacks that are completely

preventable. The user of

not be allowed to enter the

script in a field thats de

someones first name. Sim

not be allowed to input S

signed to capture a phone

Most developers know

when it comes to data va

trust user-supplied input.

isnt the only issue securit

during design meetings

should also b e addresse

most instances, a user shouter data into a field thats e

HTML tag. In a Web form t

capture some basic cust

can you think of a good re

tags when writing the va

database?

You have to use judgmen

ing about a Web app like

some fields require the u

build a more stylish listing

process HTML in some in

business requirements. Bu

Previous Next



Some developers will freely admit

that security isnt a top priority

when building an application.


11/13

forces a security policy that prohibits poten-

tially destructive HTML from being used. So a

Web application like Craigslist is a perfect ex-

ample of where a security pro, or a security-

minded developer, can make a tremendous

impact on the final product during the design

phase. Its little security details like which

HTML tags youll parse or the way youll per-

form data validation that can slip through the

cracks when deadlines are tight.

Process: The Security Team and the QA

Team Should Be a Close-Knit GroupIn some instances, it may not be possible,

practical or acceptable to have a security pro

in the room during the development of a new

Web application. But for well-managed devel-

opment projects, you can be sure that a qual-

ity-assurance person is in the room.

In an ideal world, the security and QA teams

should be tightly integrated when it comes to

the testing of new Web applications making

their way through the product development

pipeline. The reason for this is simple: QA pro-

fessionals usually have little or no background

at all in application security concepts. So

when combined with a dev team thats not

coding using security-related best practices,

the possible outcome could be an application

thats significantly flawed and vulnerable to

attack.

The best and only chance to change that

outcome is to get the security team, or at least

one security pro, in the room with the QA

team as beta builds of a new Web app are re-

leased. If you work in a small to midsize busi-

ness thats relatively flat from an IT perspec-

tive, its possible that your staff developer isalso your QA guy. Or perhaps the develop-

ment of your app is being outsourced.

Either way, the knowledge that a security

pro can bring about how a particular SQL in-

jection attack, XSS attack or LFI /RFI attack is

done can add tremendous value to the devel-

opment process.

At the end of the day, everyones goal is to

deploy a Web application that is stable and

secure. So from a security perspective, its im-

portant for security pros to begin thinking

and acting like QA pros. This may mean vol-

unteering your QA service

tion to the build release ca

existing product updates

ployed (because new ve

testing). While your presen

may sometimes be unwel

fully be thanked later for

more stable and secure We

in the process, if you can e

developers about how hac

Web applications, then y

helping to ensure that fut

security features that maka tougher target.

On the whole, Web app

all that difficult a goal to ac

like other security project

largely in the hands of the s

ing sound Web app securit

orative effort with multiple

Web app security is mu

cess-driven effort than it i

ven effort, and it always w

secure a Web app with a f

virus scanner and just w

Previous Next



LikeLike TweetTweet

ShareShare

Like This Report?

Share it!
http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.facebook.com/sharer/sharer.php?u=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.facebook.com/sharer/sharer.php?u=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://twitter.com/home/?status=%20Strategies+for+Improving+Web+Application+Security+http://ubm.io/10GTU5v%20@InformationWeekhttp://twitter.com/home/?status=%20Strategies+for+Improving+Web+Application+Security+http://ubm.io/10GTU5v%20@InformationWeekhttp://www.linkedin.com/shareArticle?title=Strategies+for+Improving+Web+Application+Security&mini=true&url=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.linkedin.com/shareArticle?title=Strategies+for+Improving+Web+Application+Security&mini=true&url=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.linkedin.com/shareArticle?title=Strategies+for+Improving+Web+Application+Security&mini=true&url=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://twitter.com/home/?status=%20Strategies+for+Improving+Web+Application+Security+http://ubm.io/10GTU5v%20@InformationWeekhttp://www.facebook.com/sharer/sharer.php?u=http://v5.reports.informationweek.com/abstract/21/10615/Security/strategy-strategies-for-improving-web-application-security.htmlhttp://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://www.darkingreading.com/


12/13

piece of software that goes through the soft-

ware development life cycle, the process of

securing a Web app should be done in a pre-dictable and structured way. The time and ef-

fort involved with securing a Web app may be

onerous in some instances, but it pales in

comparison to the cost of not doing it.

Previous Next




13/13

SubscribeSubscribe

Newsletter

Want to stay current on all newInformationWeek Reports?

Subscribe to our weekly

newsletter and never miss

a beat.

Previous


reports S t r a t e g i e s f o r I m p r o v i n g W e b A p p l i

M

ORE

LIKE THIS

Want More Like This?InformationWeekcreates more than 150 reports like this each year, and theyre all free to registered

help you sort through vendor claims, justify IT projects and implement new systems by providing anaadvice from IT professionals. Right now on our site youll find:

Insecurity With Java: In the wake of a zero-day vulnerability being exploited by multiple active attac

teams wait for Oracle to respond. Again. Heres how to keep your systems safe, but meanwhile, start c

Does Javas popularity as an attack vector vs. its diminishing functionality make permanently disablin

a smart idea?

How Attackers Choose Which Vulnerabilities to Exploit: In the increasingly complex world of infor

security, its important for security professionals to be able to understand not only how their organiza

systems and data may be compromised but why. In this Dark Reading report we examine why certainvulnerabilities are exploited, by whom and with what. We also provide recommendations for getting

of hackers by using some of the same tools and strategies they do.

Assessing Risk and Prioritizing Vulnerability Remediation:Vulnerability remediation is a never-en

process, but, even so, security pros cant plug every hole in every asset and application. The key is to d

which vulnerabilities are most likely to be exploited and the effects such exploits would have on the b

To do this, security pros must know the business and its technology usage and needs intimately, a pro

must involve stakeholders across the organization. In this report, we recommend the steps that shoul

to determine the risk of vulnerabilities and the lengths to which remediation can and should go.

PLUS: Find signature reports, such as the InformationWeekSalary Survey, InformationWeek 500 and thState of Security report ; full issues; and much more.

Table of Contents
http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://reports.informationweek.com/indexhttp://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://twimgs.com/darkreading/vulnerabilitymgmt/S6530213vulnremediation.pdfhttp://twimgs.com/darkreading/vulnerabilitymgmt/S6700313.pdfhttp://twimgs.com/darkreading/application-security/java-insecurity_534220.pdfhttp://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839http://www.darkingreading.com/http://reports.informationweek.com/indexhttp://reports.informationweek.com/index

Strategies for Improving Web Application Security

Documents

Transcript of Strategies for Improving Web Application Security