According to Wikipedia, security is defined as the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset which in almost all cases, will include an organizations’ website, web service and IT infrastructure.
At the same time, it is important to realize that security is a very broad term. Many people mistakenly associate network security with web application security. While there are some similarities, there are also many distinct differences that necessitate a unique approach to each. The assumption that a secure network results in a secure web application and vice versa is a critical mistake.
In this article, we are going to look at what makes web application security different from network security and why an approach that addresses both is the only way forward when it comes to maintaining an effective overall IT security posture.
What is Network Security?
Network security can be either hardware based (routers with a built-in firewalls, network intrusion and detection systems) or software based. Because network security has been around for a very long time, it’s often the first thing that comes to mind when people think about security. Web application security on the other hand, is a relatively new challenge.
Much like a moat, curtain wall and portcullis protect a castle, network security plays the important but restrictive and limited role of keeping the bad guys (hackers) out and allowing the “good guys” to enter. In the DMZ environment there’s an overall focus on protecting the perimeter that surrounds the website, web application or web service with the help of a Firewall security appliance. Although this works well in some instances, Firewall security appliances are no longer considered an adequate solution because they are unable to protect organizations from their own vulnerable web services or web application servers.
Even in the event of an Intrusion Prevention System (IPS), new application-based exploits or incorrectly secured web applications are almost impossible to detect as IPS systems are signature-based which means they need to know about a specific exploit or attack in order to help protect against it.
Let’s examine two very common scenarios based in the organization’s DMZ environment which is where most internet originating attacks focus on:
First, when is network security considered effective? As an example, an FTP server might have a network security setting that limit access to it for a specific remote user. This effectively controls who is able to access the server, however we must keep in mind that the FTP server is responsible of filtering all requests from non-allowed users.
Second, if you have a high-traffic website or web application open to the public, ports 80 (HTTP) or/and port 443 (HTTPs) are usually required to be open,allowing valid and malicious traffic access the resource. The only way to effectively address this issue is through web application security to eliminate all potential web application vulnerabilities. Our article covering popular websites that have been repeatedly comprimised is direct proof of such real-life examples.
Web Application Security
Consumers’ need for applications that provide more information and increased functionality has organizations creating increasingly complicated web applications. As a result, the attack surface of many web application is rarely static. It’s either increasing in size or becoming more complicated. The process of managing web application security is a challenging one that is continuously becoming more time-consuming and demanding as applications continue to become more complex.
There are two distinct aspects that make web application security such a challenge:
- The organization’s network infrastructure provides access to the web application, by default, it exposes all potential vulnerabilities to attack including web forms, input fields, logical web vulnerabilities and more. The only realistic solution is to work towards the elimination of all vulnerabilities.
- The second problem is that from a network perspective it is very difficult to differentiate hackers from legitimate traffic, even with the help of a sophisticated firewall security appliance
The problem is further complicated by the fact that many malicious activities including the exploitation of vulnerabilities such as SQL Injection and DOM based Cross-Site Scripting vulnerabilities present themselves as regular traffic passing through port 80 or 443. Therefore the only way to resolve this problem is to place a greater emphasis on eliminating all web application vulnerabilities.
Every organization will have an individualized approach to security. The ideal approach takes into account both networks and web applications. Historically, a greater emphasis has been placed on network security, and this is an approach that has worked well.
However, as the trend towards depending more on increasingly complicated web applications and improved access to information continues, it has become critically important to manage all aspects of security — reducing overall risk to the greatest extent possible.
Obviously, this involves monitoring and controlling network traffic but it also includes the adoption of secure coding practices, scanning web applications for all potential vulnerabilities and using manual penetration testers who are experienced enough to identify and test for logical vulnerabilities.