Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely
()
About this ebook
This book is intended for application developers, system administrators and operators, as well as networking professionals who need a comprehensive top-level view of web application security in order to better defend and protect both the ‘web’ and the ‘application’ against potential attacks. This book examines the most common, fundamental attack vectors and shows readers the defence techniques used to combat them.
Lori Mac Vittie
Lori Mac Vittie has extensive development and technical architecture experience in both high-tech and enterprise organisations , in addition to network and systems administration expertise. Prior to joining F5, Lori was an award-winning technology editor at Network Computing Magazine. She holds a BS in information and computing science from the University of Wisconsin at Green Bay, and an MS in computer science from Nova Southeastern University. She is technical editor and member of the steering committee for CloudNOW, a non-profit consortium of the leading women in Cloud computing.
Related to Web Application Security is a Stack
Titles in the series (7)
Build a Security Culture Rating: 0 out of 5 stars0 ratingsWeb Application Security is a Stack: How to CYA (Cover Your Apps) Completely Rating: 0 out of 5 stars0 ratingsReviewing IT in Due Diligence: Are you buying an IT asset or liability Rating: 0 out of 5 stars0 ratingsTwo-Factor Authentication Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5Fundamentals of Assurance for Lean Projects Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5
Related ebooks
Advanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics (English Edition) Rating: 0 out of 5 stars0 ratingsOffensive Security Certified Professional A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSecuring Cloud Services - A pragmatic guide: Second edition Rating: 0 out of 5 stars0 ratingsInformation Risk Management: A practitioner's guide Rating: 5 out of 5 stars5/5Research Methods for Cyber Security Rating: 0 out of 5 stars0 ratingsHacking Web Apps: Detecting and Preventing Web Application Security Problems Rating: 0 out of 5 stars0 ratingsIntrusion Detection Systems A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCyber Security Regulation A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsMobile Security Fundamentals: A Guide for CompTIA Security+ 601 Exam Rating: 0 out of 5 stars0 ratingsCyber Security ISMS Policies And Procedures A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSRS - How to build a Pen Test and Hacking Platform Rating: 2 out of 5 stars2/5Enterprise Information Security Architecture A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCyber Security Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCyber Security Incident A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCyber Security A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Cyber Security Threat Intelligence A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsRisk and Cybersecurity Third Edition Rating: 0 out of 5 stars0 ratingsEmail Security Architecture A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsSeven Deadliest Network Attacks Rating: 3 out of 5 stars3/5Cyber Security A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSecurity Incident Response A Complete Guide Rating: 4 out of 5 stars4/5Cybersecurity Policy A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCyber Security Breach A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsNetwork Segmentation A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsPrivileged Access Management A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsDeveloper's Guide to Web Application Security Rating: 3 out of 5 stars3/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsCloud computing security Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratings
Security For You
Hacking For Dummies Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5CompTIA Security+ All-in-One Exam Guide, Sixth Edition (Exam SY0-601)) Rating: 3 out of 5 stars3/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5How Not To Use Your Smartphone Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Security+ Boot Camp Study Guide Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Ethical Hacking 101 - How to conduct professional pentestings in 21 days or less!: How to hack, #1 Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy Rating: 4 out of 5 stars4/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming Rating: 3 out of 5 stars3/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Practical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5The Pentester BluePrint: Starting a Career as an Ethical Hacker Rating: 4 out of 5 stars4/5
Reviews for Web Application Security is a Stack
0 ratings0 reviews
Book preview
Web Application Security is a Stack - Lori Mac Vittie
Resources
CHAPTER 1: INTRODUCTION
The modern threat
In 2011 an exploit taking advantage of a vulnerability in the Apache web server rapidly circulated across the Internet. Apache, at the time, was used by more than 65% of websites, according to Netcraft, so this was a serious issue which required immediate remediation. The exploit took advantage of a little-known vulnerability in the way Apache handled two HTTP headers. Exploitation of this vulnerability resulted in, as described by CVE-2011-3192, very significant memory and CPU usage on the server
, resulting in a distributed denial-of-serviceattack (DDoS) through resource exhaustion.
In late 2013, a highly complex DDoS attack¹ on a prominent member of an online trading community was detected and mitigated. In addition to the overwhelming network traffic generated, post-mortem analysis discovered a significant amount of application layer traffic. What had originally appeared to be simply an unusual spike in human interaction was, in truth, driven by a network of nearly 20,000 compromised browsers, all infected with a variant of the PushDo malware.
In early 2014, another vulnerability would shake the foundations of the Internet. Within the implementation of SSL as supported by the open source library, OpenSSL, existed the potential for attacks to exploit a buffer-overflow, enabling the extraction of sensitive consumer and corporate data. The open source library was widely used by web servers, as well as a wide variety of open and closed software and hardware around the world. Its discovery led to disruption of business and consumer fears regarding just what data attackers may have been able to extract.
None of these very serious web application vulnerabilities fall under what is traditionally considered the domain of application developers. The term ‘web application security’ usually conjures up thoughts of the more well-known web application attack vectors, such as SQL injection and cross-site scripting. But the reality is that web application security is not just about the application, but about the ‘Web’ too. Exploitation of web application platform and protocol implementation is becoming more common and, ultimately, is far more likely to produce the result desired by attackers.
These results are not always the theft of data, as is traditionally put forth. The rise of hacktivism – attacking organisations through their web presence as a means of protest against some business practice or to highlight a social cause – has resulted in a dramatic increase in attacks intended not to steal data or information but to disrupt business operations. These denial-of-service (DoS) attacks generate a lot of press, in addition to the financial costs incurred while applications are unavailable, not to mention the costs to remediate.
Also on the rise are attempts to use vulnerabilities in applications as a delivery vehicle for malware and remote access. Attackers seek not to attack applications themselves, but rather its consumers. By using vulnerabilities in the application layer, attackers can plant, and subsequently deliver, malware and malicious code to a much larger set of victims, some of whom are certain to be compromised and deliver to attackers the resources, data or credentials they are seeking.
The WhiteHat ‘Website Security Statistics Report’ from May 2013 notes that 23% of organisations website(s) said they experienced a data or system breach as a result of an application layer vulnerability
². An HP TippingPoint sponsored security survey³ noted that nearly three in five IT professionals are concerned with application DDoS
.
Much of the blame for successful attacks against web applications is laid solely at the feet of the developers who design and build the applications. While many of the attacks rely on common mistakes made during development, it is increasingly the case that attackers are targeting other areas of the web application stack, namely protocols and platforms. Recognising that ‘application’ security is really a stack, ensures that a growing vector of attacks does not go ignored. Protocol and metadata manipulation attacks are a dangerous source of DDoS and other disruptive techniques that can interrupt business and have a serious impact on