Web and Cloud Security
Web security deals specifically with security of websites, web applications and web services. At a high level, Web security draws on the principles of application security but applies them specifically to Internet and Web systems. Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
Web Applications have become the path of least resistance for cyber-attackers because they are:
- Constantly exposed to the Internet and easy to probe by outside attackers using freely available tools that look for common vulnerabilities such as SQL Injection
- Easier to attack than traditional targets such as the network and host operating system layers which have been hardened over time
- Short development cycles increase the probability of design and coding errors – security is often overlooked when time-to-market is critical
- Assembled from hybrid code obtained from a mixture of in-house development, outsourced code, third-party libraries and open source
As a result, organizations are paying increased attention to the security of the web applications themselves in addition to the security of the underlying computer network and operating systems. The majority of web application attacks occur through cross-site scripting (XSS) and SQL injection attacks which usually come from flawed coding, and failure to sanitize input to and output from the web application.
Web Application Security Mechanisms, Technologies and Best Practices
Security mechanisms used should include: threat modeling, risk analysis, static analysis, digital signature, etc. A few high-level technical solutions to consider when designing, building and testing secure web applications:
- Black box testing tools – web application security scanners, vulnerability scanners and penetration testing software
- White box testing tools – static source code analyzers
- Fuzzing tools – used for input testing
- Web app security scanner – vulnerability scanner
- Web application firewalls (WAF) – used to provide firewall-type protection at the web application layer
- Password cracking tools – used for testing password strength and implementation
Web Application Security standards
OWASP is the emerging standards body for Web application security. They have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database and also produced open source best practice documents on Web application security.