Mitigating the Risks of Poor Web Programming
If you weren't paying attention during the early Summer months this year, you may have missed the overwhelming rate at which web sites were being publicly compromised and mocked. Often, these sites were prone to compromise due to SQL injection and other common web site vulnerability avenues. Even Barracuda Networks was compromised when apparently they took down their own security product for maintenance and were taken advantage of.
The reality is that even large corporations, banks, and public organizations aren't having their web sites developed nearly as well as you'd expect. Often, much attention is given to a company's internal infrastructure, their end-user PCs, and the network holding together operations.
The web presence of a company may just be an afterthought, something left for the creative and marketing people to get their brand out. However, in too many cases, web sites provide people a place to store personal information, re-used passwords, and don't adequately protect that information from would-be attackers.
Considering the frequency of occurrence, the reality of insecurely programmed web applications, and a lack of due-diligence on the part of developers, other steps should be taken to ensure a few lines of code doesn't land you on the front page of a newspaper or web site.
- Using a SQL proxy (such as GreenSQL) can help to provide an added-layer of security in the event of code that wasn't properly protected against this all-too-common type of attack. By using GreenSQL or similar, your database queries will pass through the sanity checks of the proxy first, before actually reaching your database. This intermediary step will likely thwart any attempts to steal information from a customer database or otherwise.
- Deployment of a web application firewall (WAF) is a common method to help prevent not only SQL injection, but other attacks such as local file inclusion (LFI). If you're in a larger environment, you may want to take a look at Barracuda's offering (just remember to keep it turned on...) or Imperva's offering. If you have an Apache web server with perhaps simpler needs, ModSecurity has been a long-standing free option that is quick to deploy, albeit a little challenging to tweak.
- Browser-based vulnerability testing utilities such as those from Security Compass allow even a novice to check a site before it gets deployed to production. This is certainly not a route to go for serious security testing of an application, but if you're a manager in charge of a programming team, it can't hurt to give their newest code a once-over with a few FireFox plugins.
- Lastly, professional security testing tools can be utilized by a security team or other well-trained technical users to give a final vetting to web applications before the public has a shot at them. There's no shortage of these tools but a few notable ones to look at are Core Security's CORE IMPACT Pro, Google's Skipfish, CIRT's Nikto2, and HP's WebInspect.
Ultimately, a few lines of poorly programmed code should not be the end of the defense system for any web application (or any application, for that matter). By utilizing some or all of the above, greater insight into the efficacy of code can be determined before an attack occurs. There's no reason why one programmer should allow your entire company's user database to be stolen.