This is a guest post by John Stauffacher, a world renowned expert in web application security, and the author of Web Application Firewalls: A Practical Approach. John is a certified Network Security and Engineering specialist with over 17 years of experience in IT Security.
Securing your Web applications from the millions of bad bots that attempt to penetrate them each year can seem a daunting task. But, if you follow these eight Web application security best practices ─ and repeat them each time you update your application code ─ you can mitigate the majority of bad bot attacks and zero-day attacks. Here are eight ways to improve web application security:
#1. Profile your Web applications. This includes profiles for URIs, the names and values of parameters, the names and values of your cookies, the types of uploads and the Web services each application uses. Once you complete your profile for each application, you have a baseline. You should consider anything outside that baseline as a threat and block it.
#2. Limit your exposure. You accomplish this best by shrinking your potential attack surface through such measures as GeoIP fencing and client interrogation. Simply block any traffic that originates from undesirable geographies or that displays client characteristics unlike those of your typical customer base.
#3. Enforce your application routes. Each of your applications has its own workflow and discrete routes that ‘normal’ users follow. By enforcing defined routes and workflows, you can prevent automated bot attacks from testing numerous URLs and executing forceful browsing attacks into your applications.
#4. Scrub all inputs. You should be scrubbing data any time you accept it from end users. Scrub incoming data to eliminate anything which appears to be program logic or an executable, even if execution would occur elsewhere.
#5. Encrypt all cookies. This is so easy to do today, and there is simply no reason not to.
#6. Force SSL. Applying SSL adds another security measure that is simple and has no downside risk.
#7. Monitor login pages. So many bots are written to perform ‘brute force’ login attacks by throwing all kinds of username and password combinations at your login page. Block any traffic that makes rapid, multiple login attempts and/or which appears to be the same user coming in from different networks or geographies.
#8. Always enforce protocol specifics. Surprisingly, many bots have poorly written code and don’t actually follow the HTTP protocol. This makes them easy to identify and block when you simply state that your apps will only speak the protocol as it’s written.
These best practices rely on solid WAF policy. So, make sure you have no wildcards in your policy, such as one that says, “let in all traffic.” Second, do not rely solely on signature sets, as you’ll be chasing new signatures on a continuous basis. In fact it’s better to spend time upfront whitelisting the good in you WAF rather than continually updating all of the bad that could possibly be thrown at your application.
Finally, the best WAF policy is dynamic. This means you should make it an integral part of QA testing every time you update application code. But with a solid baseline in place from profiling your web applications, this should become as routine as brushing your teeth.
About the Author
John Stauffacher is a world renowned expert in web application security, and the author of Web Application Firewalls: A Practical Approach. John is a certified Network Security and Engineering specialist with over 17 years of experience in IT Security.More Content by John Stauffacher