Eliminating all vulnerabilities from your web application
is an important part of maintaining your overall security posture. As part of
that process, web application vulnerability scanners play a crucial role in
that they provide an efficient and effective method of exposing vulnerabilities
and helping to keep your application online and secure.
Because automated web security scanners play such a crucial
role in the process of
web application security, it’s easy to forget
that there are many other elements of security that also deserve your
attention.
In this post, we’re going to cover some of the “other”
important security elements that are often overlooked — both in terms of the
application itself as well as the infrastructure.
Don’t Let Infrastructure be Your Weakest Link
We’re not going to get into the process of securing your web
server other than to point out a few of the obvious ways that you can harden
your security. However, as an example, if you’re running a popular open source
option like LAMP stack, there are some straightforward actions you can take
such as:
?
Make sure you are running the latest version of Apache
?
Disable any unused or unnecessary modules
?
Prevent the version number, operating system and
installed modules from being displayed
?
Disable/Prevent directory browsing
?
Limit the total HTTP request size to reduce the
probability of a DDoS Attack
?
Enabling Apache Logging
There are a multitude of additional steps you can take to
reduce your overall exposure including:
?
Eliminating remote access or at the very least,
restricting remote access to a limited number of IP’s and users
?
Using a separate environment for development, testing
and production. Amazon EC2 makes the process of setting up temporary testing
and development environments relatively simple which limits access to your
production environment.
If you’re unsure of how to configure your server, get advice
from your server admin or system engineer.
Manage User and Application Privileges
Responsibly
The best way manage user privileges is by following the
principle of least privilege (POLP). POLP states that each individual user
should have their access limited to the minimal level required complete their
necessary tasks. The same rule applies to web applications — assign the minimal
level of permissions required for normal functioning.
Managing privileges is something that can occur on a variety
of different levels — including the server, database and software level. For
example, if you are running WordPress, full administrator privileges is
something that should be restricted to very few users. Even at the
administrator level, there are certain functions that can be disabled in order
to further harden security. Read the
Principle of Least Privileges for WordPress
for more specific information on POLP on WordPress.
Keep Software Up To Date
As vulnerabilities are discovered and patches are released,
it’s important to keep all of your software up to date. We can approach this
from two angles:
The first is making sure that any software you’re using is running
on the current version. This is an issue we see frequently on platforms like
WordPress and with JavaScript libraries. Looking at
currentWordPress statistics, over 15% of installations are currently
running version 3.9 or older.
Secondly is the importance of keeping your scanning software
up to date. If you are using a desktop based scanner, make sure you’re using a
version with the most recently updated vulnerability library — cloud-based
vulnerability scanners will be automatically updated.
Know What’s Happening On Your Web Application
Finally, one security measure that is often overlooked is
the process of
monitoring and logging user activity. Web
application logs provide a multitude of benefits. The most important of which
is the ability to help improve your web application security.
Monitoring user activity is often one of the first steps in
determining when an attack might be underway. Even though only a very small
percentage of users are malicious, logging can help to identify those users and
block them from taking any further action.
Logging user actions can also help to identify ways in which
your web application might be vulnerable or for identifying potential misuse.
If you are able to identify, track, record and alert administrators of
suspicious activity, it is often possible to make changes to your application
before an attack occurs or even halt a malicious user before it becomes a major
security issue.
Manage Web Application Security From a Holistic
Standpoint
Managing web application security is a complicated process.
There are many moving parts that need to be managed concurrently.
Unfortunately, the vast number of systems that require attention for even a
basic web application, often result in one aspect of security being overlooked.
When assessing overall security posture, we often default to
the technical aspects of security —
scanning for and patching web application vulnerabilities.
However equally important is the ability to manage the most obvious elements
that are often the source of our problems. This includes things such as web
server security, limiting user privileges, properly maintaining software and
being aware of how users are interacting with your application. Your web
application security posture is only as strong as the weakest link.
