Web application security has been a growing concern for the IT team in Nevada County, Calif. When the county transitioned to Microsoft hosted services, including IIS, Exchange and SharePoint in 2007, its small IT staff knew it was a mixed bag. The technologies came with important productivity and management benefits, but Microsoft-based technologies also presented a much bigger security target for potential hackers.
The move to Microsoft apps — plus the realization that more county applications for both employees and citizens would be web-based and mobile — led the IT team to focus on web application security. First up was installing a web application firewall from Barracuda Networks.
“With these changes, we knew we needed an extra layer of security that we could rely on and use to ensure compliance with state and federal regulations,” explains Gary Spriggs, the county’s information security officer.
Along with the web application firewall, the county’s IT staff implemented Tenable Network Security’s Nessus ProfessionalFeed for penetration and vulnerability testing, which it uses about every six months to check on how well its web apps are performing against potential attacks.
Jeff Wilson, principal analyst with Infonetics Research, says there are many reasons why state and local agencies should make securing web applications a top priority. Mobile versions of web apps are yet another stream of code that must be maintained, managed and checked for vulnerabilities.
“Custom code, or simply poor coding that leaves in the code during development, can cause real security problems,” Wilson says.
“If you have the right tools and can get at the code to fix the problems, you’ll be in pretty good shape. But if you don’t have access to the code because the application was outsourced or built on a platform where you are at the mercy of the platform developer, it’s more difficult to find and fix vulnerabilities,” he adds.
In Wake County, N.C., the network is locked down by two Fortigate 1240B Universal Threat Management firewalls from Fortinet, which are used in conjunction with Fortinet’s intrusion prevention and antivirus modules.
Dean Mitchell, security team manager in the Information Services Division, says following a migration to Microsoft SharePoint, the county plans to deploy a SharePoint-specific antivirus product to add another layer of security.
The percentage of web applications that are vulnerable to an injection attack, where internal databases are accessed through a website
SOURCE: 2011 Top Cyber Security Risks Report (HP)
The county also has developed policies to allow its employees to use their own mobile devices to access web applications, calendars and e-mail. Because it runs Lotus Domino for e-mail, Wake County also uses Lotus Traveler, which provides some mobile device management (MDM) functionality, including the ability to mange policies and protect data. Mitchell says the county hopes to add a full-blown MDM solution at some point in the future.
The IT team in Nevada County also considers mobile devices a potential security issue for web apps.
“We’re at the doorway with both mobile app delivery and mobile content delivery, which increases the possibilities for attack as well as delivery,” says Landon Beard, the county’s lead network systems analyst. “Web app security will be at the forefront of our focus as we move forward with that.”
Tools of the App Security Trade
There are several possible tools that state and local agencies can use to ensure security of their web apps, including penetration testing and web application firewalls.
Penetration testing tools, such as IBM Rational AppScan and Tenable Network Security’s Nessus ProfessionalFeed, actively try to find vulnerabilities in web apps caused by problems such as cross-site scripting and SQL injection. They work by simulating the methods real attackers might use, but without actually damaging the web application. Typical features of these tools include both static and dynamic testing, content audits (for example, for adult content and personally identifiable information), and the ability to pinpoint specific lines of code causing problems. They are also used for compliance auditing.
Web application firewalls are just that: firewalls that protect web applications. Marketed by providers such as Fortinet, Barracuda Networks, F5 Networks, WatchGuard Technologies and Imperva, these products block threats such as cross-site scripting, SQL injection, buffer overflows and denial of service cookie poisoning. They can also help organizations comply with the Payment Card Industry Data Security Standard. Other features include load balancing and Secure Sockets Layer offloading and acceleration.
Although these tools are invaluable, there is also great value in old-fashioned ingenuity, says Jeff Wilson, principal analyst at Infonetics.
“Whatever investment you make in web application security, there will still be bugs you miss,” he says. “Consider trying the crowdsourcing approach, like Google does. They pay a bounty to anyone who finds bugs in their code.”