Web Applications:
The placement of application servers in relation to DMZ, firewalls, gateways, etc., plays
an integral role in the effectiveness of web application security. Once implemented,
another important factor is strong configuration management policies and procedures to
ensure continued defense integrity as modifications or enhancements are moved to the
production environment. Software patches and fixes should be checked to ensure
currency. Checklists should include analysis of permissions and services to ensure
minimally enabled.
Applications should be reviewed to ensure that sensitive corporate information
(including USERIDs; passwords, application, links and server names) has been
adequately sanitized from public (or inappropriate internal viewing) either openly or
hidden in source code. Data input to forms should be validated for correctness (type,
length and expectation) and transmission paths tested for vulnerabilities. Encryption of
data should be commensurate with the sensitivity of the data. The use, transmission
and storage or cookie information should be included in the policies, procedures, and
audit activity.
As with all access, user authentication is integral to the success of web security. Strong
USERID and password requirements should be instituted to thwart harvesting attempts.
© SANS Institute 2002, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
Consideration should be given to utilizing URLs, hidden form elements and cookies to
establish state and track/log user activity. Backup and recovery procedures should be
included in documentation, tested and lessons learned incorporated. Auditing should
be outlined in policies and procedures and performed on a frequent basis, including
scanning, IDS, penetration attempts, information harvesting attempts, and other
vulnerability assessment tools.
Portions of the above synopsized from: “Web Application and Databases Security”,
Darrell E. Landrum, 4/2/01, http://rr.sans.org/security.basics/web_app.php.
One of the newer components of many ISSPs is the Wireless Security Plan. Included in
the wireless family are pagers, cell phones, PDAs, laptops and palmtops. These
devices bring a whole new level of access, flexibility and portability to the ITenvironment
and present increased challenges for the ISS professional and the ISSP.
The quantity of devices/users and the temporary nature of the connection set hurdles
for the logging, tracking and auditing function. GSA, Federal Technology Service,
compiled a presentation titled “Hello? Who’s Listening In?” available at
http://fts.gsa.gov/webcast/3-7_wireless_security/sld001.htm, which outlines Wireless
Security Basics. The article provides a framework for security issues/countermeasures
which should be addressed in the Wireless Security Plan, including:
· Protective measures for Access Points (AP), including:
o Antenna signals (vertical as well as horizontal distance considerations),
o Ensure layer filtering of Media Access Control (MAC) Access Control Lists
(ACLs) not only level of protection,
o Corporate policy addresses AP placement, environmental considerations
as well as its relation to firewalls and DMZs
o Single AP doesn’t access multiple segments of network unless via VPN.
· Disable (if possible) broadcasting and sanitize the Service Set Identifier (SSID),
the shared secret manually entered in the AP and the client.
· Use IDS and “arpwatch” to monitor unauthorized MACs.
· Use VPN-type (SSH or SSL) instead of Wired Equivalent Privacy (WEP) linklayer
· Centralized authentication and dynamic key distribution via EAP/802.1X,
Extensible Authentication Protocol.
· Perimeter of building is shielded to reduce risk of outside RF interference, assist
in protecting AP, and reduce the possibility of Denial of Service (DoS) attacks via
drive-by or other me


Leave Comment

Your email address will not be published. Required fields are marked *