Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely
()
About this ebook
This book is intended for application developers, system administrators and operators, as well as networking professionals who need a comprehensive top-level view of web application security in order to better defend and protect both the ‘web’ and the ‘application’ against potential attacks. This book examines the most common, fundamental attack vectors and shows readers the defence techniques used to combat them.
Lori Mac Vittie
Lori Mac Vittie has extensive development and technical architecture experience in both high-tech and enterprise organisations , in addition to network and systems administration expertise. Prior to joining F5, Lori was an award-winning technology editor at Network Computing Magazine. She holds a BS in information and computing science from the University of Wisconsin at Green Bay, and an MS in computer science from Nova Southeastern University. She is technical editor and member of the steering committee for CloudNOW, a non-profit consortium of the leading women in Cloud computing.
Related to Web Application Security is a Stack
Titles in the series (7)
Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely Rating: 0 out of 5 stars0 ratingsBuild a Security Culture Rating: 0 out of 5 stars0 ratingsReviewing IT in Due Diligence: Are you buying an IT asset or liability Rating: 0 out of 5 stars0 ratingsTwo-Factor Authentication Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Fundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Fundamentals of Assurance for Lean Projects Rating: 0 out of 5 stars0 ratings
Related ebooks
Web Application Firewall Assurance Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Seven Deadliest Network Attacks Rating: 3 out of 5 stars3/5Cybersecurity for Small Businesses and Nonprofits Rating: 0 out of 5 stars0 ratingsIT Security Concepts Rating: 5 out of 5 stars5/5Thor's Microsoft Security Bible: A Collection of Practical Security Techniques Rating: 0 out of 5 stars0 ratingsSecuring Cloud Services - A pragmatic guide: Second edition Rating: 0 out of 5 stars0 ratingsBuilding a Practical Information Security Program Rating: 5 out of 5 stars5/5Mobile Malware Infringement and Detection Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5How to Attack and Defend Your Website Rating: 0 out of 5 stars0 ratingsModern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization Rating: 0 out of 5 stars0 ratingsOSSEC Host-Based Intrusion Detection Guide Rating: 5 out of 5 stars5/5Mobile Malware Attacks and Defense Rating: 5 out of 5 stars5/5Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks Rating: 0 out of 5 stars0 ratingsSQL Injection Attacks and Defense Rating: 5 out of 5 stars5/5The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsThe Ransomware Threat Landscape: Prepare for, recognise and survive ransomware attacks Rating: 0 out of 5 stars0 ratingsCyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsHow to Defeat Advanced Malware: New Tools for Protection and Forensics Rating: 0 out of 5 stars0 ratingsThe Little Book of Cybersecurity Rating: 0 out of 5 stars0 ratingsData Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsThe Certified Ethical Hacker Exam - version 8 (The concise study guide) Rating: 3 out of 5 stars3/5The Future and Opportunities of Cybersecurity in the Workforce Rating: 3 out of 5 stars3/5CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security Rating: 0 out of 5 stars0 ratingsSecuring Social Media in the Enterprise Rating: 0 out of 5 stars0 ratingsIT Induction and Information Security Awareness: A Pocket Guide Rating: 0 out of 5 stars0 ratings
Security For You
How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Hacking For Dummies Rating: 4 out of 5 stars4/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsPractical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Game Console Hacking: Xbox, PlayStation, Nintendo, Game Boy, Atari and Sega Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5How to Hack Like a GOD: Master the secrets of hacking through real-life hacking scenarios Rating: 4 out of 5 stars4/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsUltimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsDark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsSecurity+ Boot Camp Study Guide Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5
Reviews for Web Application Security is a Stack
0 ratings0 reviews
Book preview
Web Application Security is a Stack - Lori Mac Vittie
Resources
CHAPTER 1: INTRODUCTION
The modern threat
In 2011 an exploit taking advantage of a vulnerability in the Apache web server rapidly circulated across the Internet. Apache, at the time, was used by more than 65% of websites, according to Netcraft, so this was a serious issue which required immediate remediation. The exploit took advantage of a little-known vulnerability in the way Apache handled two HTTP headers. Exploitation of this vulnerability resulted in, as described by CVE-2011-3192, very significant memory and CPU usage on the server
, resulting in a distributed denial-of-serviceattack (DDoS) through resource exhaustion.
In late 2013, a highly complex DDoS attack¹ on a prominent member of an online trading community was detected and mitigated. In addition to the overwhelming network traffic generated, post-mortem analysis discovered a significant amount of application layer traffic. What had originally appeared to be simply an unusual spike in human interaction was, in truth, driven by a network of nearly 20,000 compromised browsers, all infected with a variant of the PushDo malware.
In early 2014, another vulnerability would shake the foundations of the Internet. Within the implementation of SSL as supported by the open source library, OpenSSL, existed the potential for attacks to exploit a buffer-overflow, enabling the extraction of sensitive consumer and corporate data. The open source library was widely used by web servers, as well as a wide variety of open and closed software and hardware around the world. Its discovery led to disruption of business and consumer fears regarding just what data attackers may have been able to extract.
None of these very serious web application vulnerabilities fall under what is traditionally considered the domain of application developers. The term ‘web application security’ usually conjures up thoughts of the more well-known web application attack vectors, such as SQL injection and cross-site scripting. But the reality is that web application security is not just about the application, but about the ‘Web’ too. Exploitation of web application platform and protocol implementation is becoming more common and, ultimately, is far more likely to produce the result desired by attackers.
These results are not always the theft of data, as is traditionally put forth. The rise of hacktivism – attacking organisations through their web presence as a means of protest against some business practice or to highlight a social cause – has resulted in a dramatic increase in attacks intended not to steal data or information but to disrupt business operations. These denial-of-service (DoS) attacks generate a lot of press, in addition to the financial costs incurred while applications are unavailable, not to mention the costs to remediate.
Also on the rise are attempts to use vulnerabilities in applications as a delivery vehicle for malware and remote access. Attackers seek not to attack applications themselves, but rather its consumers. By using vulnerabilities in the application layer, attackers can plant, and subsequently deliver, malware and malicious code to a much larger set of victims, some of whom are certain to be compromised and deliver to attackers the resources, data or credentials they are seeking.
The WhiteHat ‘Website Security Statistics Report’ from May 2013 notes that 23% of organisations website(s) said they experienced a data or system breach as a result of an application layer vulnerability
². An HP TippingPoint sponsored security survey³ noted that nearly three in five IT professionals are concerned with application DDoS
.
Much of the blame for successful attacks against web applications is laid solely at the feet of the developers who design and build the applications. While many of the attacks rely on common mistakes made during development, it is increasingly the case that attackers are targeting other areas of the web application stack, namely protocols and platforms. Recognising that ‘application’ security is really a stack, ensures that a growing vector of attacks does not go ignored. Protocol and metadata manipulation attacks are a dangerous source of DDoS and other disruptive techniques that can interrupt business and have a serious impact on