Web application security defense needs to account for various attacks that by-pass traditional firewalls and perimeter security devices. Such attacks include, but are not limited to XSS (cross-site scripting), SQL injection, parameter/hidden field manipulation, weak session cookies etc. M3 Security Web application security implementation service utilizes a two pronged approach to provide defense-in-breadth. Based on enumerated vulnerabilities found during the assessment phase, solutions include web application firewalls as well as detailed analysis and implementation of secure software development lifecycle best practices.
M3 Security developed SDLC best practices function both at a tiered and layered level to provide enhanced security. The tiers include web/application/database servers and the layers are the host/operating system and the application layers.
| Typical protection methods employed: |
Application-layer Defense:
| Exception Management |
| Configuration Management |
| Session Management |
| Encryption |
| Parameter Manipulation |
| Authentication |
| Authorization |
| Input Validation |
| Protection of Sensitive Data |
| Auditing and Logging |
| Remote Administration |
| Least Privileged Access |
|
Operating System-layer Defense:
| Services |
| Protocols |
| File and Directory Permissions |
| Patches and Updates |
| Account Management |
| Remote Administration |
| Registry Access |
|
Implementation of application firewalls takes into consideration various factors such as capabilities of existing perimeter security devices such as firewalls/intrusion detection devices, prevention of zero-day attacks, event correlation vs. positive security model vs. attack signature based solutions, web application function, type of traffic flow etc. Once a solution is chosen, M3 Security engineers design and deploy the web application firewall within a client’s environment.
|
