April 05, 2008

Web Application Security: What is the current version of your main Web application?

During the last moth I've talked about Web applications security twice, at the III OWASP Spain Chapter Meeting about "Web security threats and incidents" in Barcelona on March 14, and at the VI RedIRIS Security Forum about "Web security: a practical approach at universities (UCLM)", in Barcelona on March 28, 2008. Both presentations are in Spanish.

From the different topics I covered, I want to specifically emphasize three key points you need to focus on:
  1. Act now! If you are still developing Web applications today, 2008, without integrating security as a key aspect from an arquitectural (overall application and infrastructure design), administrative (systems and networks) and developing (secure programming and coding) perspective, you are exposing your environment to attacks for a few years. The Web applications we are developing today (or at least portions of them) will have a life of 5 to 10 years.
  2. What is the current version of you main Web application? v2.9.905? I always like to ask this question to the audience, as nobody seems to apply the good programming practices we use in other software (like version control and software management) to Web applications. New functionality, fixes and changes are directly introduced in (Web application) production environments without strict controls. This way, it is almost imposible to know when a vulnerability was introduced or fixed.
  3. Protect THE Web server! What about... embeded devices? When Web application security is mentioned, lot of people immediately think on the main corporate Web server facing the Internet. What about all the other Web applications and servers publicly available for partners, suppliers, customers, etc? What about the 1001 internal Web applications? What about the embeded Web servers in other software applications, such as MS Sharepoint, Citrix, etc? What about all the Web-based management interfaces?, and most crucial nowadays... What about the Web applications and servers available on network embeded devices, such as printers, switches, routers, access points, VoIP phones, IP cameras, network disks, etc? Web-based flaws in any of these elements introduce serious security vulnerabilities in your critical infrastructure.

Next December, at the SANS London 2008 conference, I'll teach in a row the two new SANS Web Application Penetration Testing courses, for a full 6-day training track. It is the first time we bring up this content to Europe:
If you are interested on learning the art of Web application pen-testing from real world and hands-on exercises, I hope to see you there! ;)