Enterprise Web Application Security Issues and Guidelines - Research Paper Example

ENTERPRISE WEB APPLICATION SECURITY ISSUES AND GUIDELINES Enterprise Web Application Security Issues and Guidelines Affiliation Abstract Latest developments on the Internet have evolved to an elevated standard of technology. At the present, more and more corporations are making use of the internet in order to carry out their business related tasks. Additionally, the web based systems and business applications have offered better support and facilities for the business and personal level. However, these facilities have also created some concerns regarding web based security and privacy. In this scenario, there is an awful need for implementing proper and appropriate mechanisms in order to ensure internet security. This paper presents a detailed analysis of some of the important aspects and features of the web based systems. The basic purpose of this research is to discuss various issues those need to be considered by the enterprise web application developers while developing web based systems. This paper also discusses solutions and strategies to address these security threats. Keywords: SQL Injection, DoS attacks, Oracle 10g, SSL, Encryption, IDS, SQL, CI4A Introduction Information security remains an extremely significant concern throughout the system development life cycle. In other words, it is as imperative as the delivery of the overall system development according to a functional requirement. Through the identification of problems and issues near the beginning in the projects initialization phase the operating system, environment, system architecture and database can be designed and integrated with security included features. In addition, it also ensures that system development process followed the rules and regulations, legislation and standard application. This paper presents a detailed analysis of web-security issues which need to be considered by the developers of enterprise web-applications. This paper also outlines fundamental security features offered by database management systems and use of these features in securing the database from security breaches. Research background Without a doubt, with the passage of time the use of web applications is growing in all the fields of life. These web applications encompass huge databases at the back in order to support various functions of an application. Additionally, these databases are used by the web applications to store web related data. However, with the growing usage of these applications, there are also emerging latest kinds of attacks that hinder the use of these applications. So the development of these enterprise web applications has established serious challenges for application developers. They need to take care of a wide variety of security issues while developing these systems (Halfond & Orso, 2005; Fraternali, 1999; Chou, 2007). Websites and web applications normally interact and communicate with other back office applications, remote services and distributed systems those are competent to be placed with the range of local premises, locations and facilities at any other location. In this scenario, the difficulty to manage complicated web based system presents the need for better communication among the systems and this aspect leads to a greater likelihood of experiencing security vulnerabilities or weaknesses. This condition initiates elevated chances of the security infringement and do not guarantee the ejection of a stable, well-organized, protected, extensible and fully compatible system (Watson Hall Ltd., 2008; Turban, Leidner, McLean, & Wetherbe, 2005; Laudon & Laudon, 1999). In case of present web based system the security considerations have to be recognized all through the system development life cycle. Additionally, in case of segregation of fundamental security aspects of the overall system development phase will bring about various pessimistic aspects, for instance larger expenses, less efficiency of the work done, lesser availability of system resources and substandard system reliability. Thus, in case of web based applications and databases the prime need is the enforcement of data protection strategy which needs to be retained for the implementation of the integrity and confidentiality of the sensitive information as well as accessibility of the services required to be considered at the entire phases of a systems life cycle (Watson Hall Ltd., 2008; Turban, Leidner, McLean, & Wetherbe, 2005; Laudon & Laudon, 1999). Web-Security Issues Developers Need To Consider Basically, the security of enterprise web applications can be measured through six features, which include: Confidentiality, Integrity, Authorization, Authentication, Availability, and Accountability (CI4A). In this scenario, confidentiality ensures the privacy of data or private information that is stored inside the database or transmitted over the web. Integrity makes sure that the data transferred through the application is not altered intentionally or unintentionally. Authentication is concerned with the verification of users. Authorization deals with the access rights related to different application subsystems, data and functionality. Availability is a significant metric for the security position of the web application. Attackers keep looking for new methods to launch attacks against web applications to compromise these security services. Normally, the purpose of an attacker is to compromise any of the above mentioned services. In this scenario, enterprise application developers need to keep in mind a variety of security attacks while developing these applications. Some of the well-known types of attacks that they need to consider are outlined below (Lebanidze, 2010; Kolodgy, 2011; Ceselli, et al., 2005): DoS Attacks: An overview A DoS (denial of service) attack can be defined as an event that prevents an authorized access to the resources or make an interruption in those operations that are critical with the time factor. Additionally, DoS attack is sometimes called distributed denial-of-service attack (DDoS attack). This sort of attack (denial of service attack) may target users in an attempt to stop them from creating links on the network. However, these connections may include outgoing transmission. In addition, a DoS attack may also target a whole corporation. In this scenario, it can stop incoming traffic or to prevent outgoing traffic towards enterprise web applications. In this way this attack tries best to stop the victim from being usage of network links. Moreover, denial of service attack is straightforward in accomplishment as compared to gaining managerial access to a specific system from distant locations. That’s why DoS attack gains popularity on the Internet. In the context of an enterprise web application this attack can happen due to a variety of programming mistakes such as using uninitialized variables, poor concurrency management, and null pointer dereferences. In addition, simultaneous access in web applications can intensify the accessibility issues, even though load balancing mechanisms can be used to deal with this attack. Moreover, application developers should implement proper error handling procedures because improper error handling results in crashes that allow DoS attacks (Lebanidze, 2010; Chan, et al., 2010; Tech-FAQ, 2011). Invalidated Input It is an admitted fact that all the enterprise web applications process inputs coming from multiple untrusted sources. Hence, if the application developers fail to handle these inputs in an appropriate way, these inputs can be exploited by the attackers to launch attacks against the application. In this scenario, it is essential for the application developers that they perform the necessary validation each time the data crosses a trust boundary. In addition, the improper handling of these inputs allows attackers to launch a variety of attacks such as SQL injection, buffer overflows, Cross Site Scripting (XSS), cookie poisoning, format string and hidden field manipulation (Lebanidze, 2010; Kolodgy, 2011; Karaarslan, Tuglular, & Sengonca, 2008). Broken Access Control Basically, the broken access control problems take place when enterprise application developers fail to enforce the restrictions on what authentic users are allowed to perform specific tasks. As a result of this attack, an attacker can get access to the accounts of other users, make use of unapproved functionality or view confidential information. In this type of attack, an attacker intensifies privileges. For example, depending on hidden fields to form identity in an attempt to access application managerial interfaces can facilitate an attacker to gain illegal access for the reason that an attacker can easily manipulate hidden fields (Lebanidze, 2010; Kolodgy, 2011; Karaarslan, Tuglular, & Sengonca, 2008). Session Management and Broken Authentication If enterprise application developers fail to undertake appropriate steps in order to secure account credentials and session tokens, for instance keys, passwords and session cookies, this information can be used by attackers to avoid authentication measures as well as assume identities of other application users. In this scenario, attackers can easily avoid authentication mechanisms if application developers do not effectively handle these tokens and authentication credentials for instance those which are required to retrieve forgotten password, change password, account update, and so on. In addition, application developers need to protect session tokens against stealing in order that attackers cannot take control of identities of authenticated users only by stealing the session after the authentication. In this scenario, (SSL) Secure Sockets Layer technology can be used to create a secure session (Lebanidze, 2010; Kolodgy, 2011; Karaarslan, Tuglular, & Sengonca, 2008). Cross Site Scripting (XSS) Like SQL Injection, XSS attacks also take place due to poor input validation. However, in this type of attack, an attacker adds executable scripts in the input to the web application and the web browser of the client executes those scripts. This type of attack allows an attacker to access data of the end user’s session tokens, and launch an attack against the user’s computer. In this scenario, an attacker can hack the legal user’s id and hijack his session. Normally, attackers use the web tier or application tier in order to launch this attack. However, application developers can deal with this attack by developing an aggressive white list input validation in the application (Lebanidze, 2010; Kolodgy, 2011; Karaarslan, Tuglular, & Sengonca, 2008). Buffer Overflow The buffer overflow is one of the most common types of Denial of service attack. It works simply by sending extra traffic towards a network. A thing that is necessary to define here is that networks are basically sophisticated in nature. Additionally, it is most commonly used DoS attack which can be performed remotely or locally. Usually this type of attack can be performed through a vulnerable application. In this scenario, the attacker might be alerted that the targeted structure has some sort of fault/error that could be known easily or attacker can only try the case and attack may start working. However, application developers can avoid this type of attack by implementing proper input validation checks. In addition, if the enterprise application developers make use of memory manipulation function and safe string, the chance of introducing buffer overflows can reduce to a considerable extent (Lebanidze, 2010; Chan, et al., 2010; Tech-FAQ, 2011). Exception Management (Inappropriate Error Handling) Enterprise application developers must be very careful while handling exceptions occurring during the execution of web application. In fact, this information is not handled properly, it can result in information disclosure (Lebanidze, 2010; Kolodgy, 2011; Karaarslan, Tuglular, & Sengonca, 2008). Insecure Storage Most of the time data remains in storage location so it should be secured through appropriate manner. In this scenario, developers can use different encryption techniques to secure these databases (Lebanidze, 2010; Kolodgy, 2011; Karaarslan, Tuglular, & Sengonca, 2008). Protection against Hacking (Hashing) There are lots of issues and aspects regarding data hacking and pilfering for business websites. In this scenario, a business system developer needs to consider such issues and aspects to comply with the practice and impressive security of the system. For this purpose, one of the top and high quality techniques is the establishment and application of some strong techniques against hacking. At the moment there are lots of hacking techniques those have the power to effectively protect business critical data and information and this arrangement will definitely bring about enhanced business and corporate credibility. In addition, the power hashing systems and techniques are proficiently recognized and lots of methods are presently available in the marketplace for the protection of sensitive data (Bilawal Hameed, 2011). Internal Hacks (Password Salts) Password based protection is one of the main concerns in the web based system development. Presently 80 percent of the websites still store passwords in a plain text format which is extremely simple to decode and interpret. In particular, such passwords are open to the business administrators and system managers. In this case there exists a great deal of concern regarding the effective protection and management of internal hacks. In this scenario a password needs to be entered and processed accordingly for decoding by providing a run time user key. This will lead to better management and protection of user’s personal and confidential information and files (Bilawal Hameed, 2011). SQL Injection Attacks SQL injection is a particular kind of code injection attacks which attackers launch to process unauthorized queries to a database. In fact, this attack has turned out to be a major challenge for the enterprise application developers for the reason that the majority of companies store their private data like that customer information or secret documents, and this data is being made available over the network. Thats why, the need for database-driven web applications is always growing in enterprise systems. As discussed above, an attacker launches SQL injection attack to get direct access to the database connected to a web application. As a result of this attack, an attacker is able to access private information that is afterward used for conducting illegal activities. Basically, this attack comes in a variety of forms and dealing with such diverse attacks poses a serious challenge for application developers. In fact, the application developers must possess necessary skills and knowledge required to deal with these attacks. Basically, SQL Injection attacks result in serious consequences for high-profile organizations like that, FTD.com, Travelocity, Tower Records, Creditcards.com. A survey was performed by Gartner Group on more than 300 web sites, which revealed that more than 97% of the websites are susceptible to SQL Injection attacks. According to this survey, SQL Injection is one of the critical security issues of web applications. In the SQL Injection attack, an attacker adds data in a SQL query in such a way that web application treats the user’s input as SQL code. Normally, these attacks take place as a result of poor database development skills. In many cases, application developers do not implement appropriate input validation. In this scenario, application developers include the user’s data directly in a SQL query instead of applying strict validation (Halfond & Orso, 2005; Fraternali, 1999; Chou, 2007). Security Features in Leading DBMSs At the present, there are many database management systems available in the markets that support effective security features. For instance, Oracle Database 10g contains a wide variety of security features that can be useful for the enterprise application development. Additionally, Oracle Database 10g allows its users to incorporate password-based authentication and most Secure Socket Layer processing, reducing the need for client-side wallets. In addition, Oracle 10g offers Virtual Private Database through which an application developer can connect a security policy to an application to a view, or table or synonym. In this scenario, this security policy is initiated when the SQL statements are used to access the object linked to the policy. Moreover, it also incorporates security features like that Oracle Label Security and Enterprise User Security that can be used to implement the Oracle Identity Management infrastructure for the central management (Needham & Iyer, 2003). Security Guidelines Application developers can effectively deal with this kind of attacks if they adopt effective programming procedures like that sophisticated input validation and defensive programming techniques. On the other hand, attackers also keep finding innovative ways to avoid the measures that developers introduce. In the same way, various other techniques such as firewalls and intrusion detection systems are not effective in dealing with these attacks. However, (Halfond & Orso, 2005) discuss two effective techniques Safe Query Objects and SQL DOM, which are believed to be very effective in dealing with these attacks. Basically, these techniques encapsulate database queries in order to offer a trustworthy and safe way to access databases. Without a doubt, both these techniques are very effective in dealing with SQL Injection attacks. Basically, they solve the problem by transforming the query development process from an unplanned process based on string concatenation to a systematic process that is based on type-checked Application Programming Interface (API) (Halfond & Orso, 2005; Fraternali, 1999; Chou, 2007). In addition, developers can implement some of the following measures in order to deal with the security threats: Least Privilege According to this principle, the application developers should grant the minimum privileges to processes or users. However, these privileges should be sufficient for completing the tasks that they are authorized to perform. Normally, application developers assign the users more privileges than are required to complete the task (Lebanidze, 2010). Simplicity of Design Enterprise application developers must keep the application design as simple as possible for the reason that unreasonably complicated design can lead to potential security problems. As a general rule, the application developers should develop a system that does what it needs to do and nothing else. In addition, the complexity of the design will make it hard for the developers to improve the code and will increase the chances of bugs (Lebanidze, 2010). Privacy The system should be developed in a way that it stores as minimum private information as possible. For example, it is a good practice not to develop a system in such a way that it stores credit card numbers because the users can enter them again. System developers should focus on implementing ways that could avoid as many attacks as possible (Lebanidze, 2010; Kolodgy, 2011; Ceselli, et al., 2005). What measures I would have adopted? In view of the fact that the majority of attacks occur due to programming errors and ineffective handling of users’ inputs, hence the development of enterprise web applications can be improved through improved programming practices. I would suggest the use of secure software development approach for the development of such systems. This software development approach defines security principles and measures the application developers must keep in mind while completing each phase of software development. In addition, enterprise web application developers can implement security measures if they are well aware of security threats and programming practices. I would ensure that my team members are provided with effective training so that they could understand the types of attacks and how to avoid them. I would make sure that my team members are well aware of technologies that can be adopted in order to deal with these security threats. At the present, there are numerous tools and technologies available to support the implementation of secure applications. I would suggest the usage of latest technology or tool for the implementation of enterprise web application. I would conduct a detailed research on the latest security threats and ways to deal with these threats and then guide my team members to know about these threats. I would make sure all the guidelines discussed in this paper are implemented in the development (Karaarslan, Tuglular, & Sengonca, 2008). Results and Conclusions In the past few years, the majority of organizations have shifted their businesses over the internet. For this purpose, they have implemented huge enterprise web applications, which are used to perform a variety of business related tasks. Additionally, these applications also integrate huge databases at the back-end, in order to store customers and business data and information. This paper has discussed some of the important security issues that enterprise application developers experience while implementing these web applications. The research has shown that the majority of these issues occur due to programming mistakes and flaws. This paper has also discussed the strategies and solutions to deal with these security issues. These security issues can be resolved with proper measures and security checks. This paper has discussed the ways enterprise application developers can deal with these issues. In view of the fact that the security issues are increasing day by day so in order to deal with these emerging security threats application developers also need to improve their programming skills and adopt latest measures. References Bilawal Hameed. (2011). Five Useful Security Tips For Web Developers. Retrieved April 22, 2014, from http://www.bilawal.co.uk/2011/02/five-useful-security-tips-for-web-developers/ Ceselli, A., Damiani, E., Vimercati, S. D., Jajodia, S., Paraboschi, S., & Samarati, P. (2005). Modeling and assessing inference exposure in encrypted databases. ACM Transactions on Information and System Security (TISSEC), Volume 8 Issue 1, pp. 119-152. Chan, N., Lockwood, R., Freeman, S., Farmah, P., Chousiadis, C., Hamid, F., . . . Chung, Y. W. (2010). Denial of Service. Retrieved May 05, 2014, from http://islab.oregonstate.edu/koc/ece478/project/dos1.pdf Chou, W. (2007). Strategies to Keep Your VoIP Network Secure. IT Professional, Volume 9 Issue 5, 42-46. Fraternali, P. (1999). Tools and Approaches for Developing Data-Intensive Web Applications: A Survey. ACM Computing Surveys (CSUR), Volume 31 Issue 3, 227-263. Halfond, W. G., & Orso, A. (2005). AMNESIA: Analysis and Monitoring for Neutralizing SQL Injection Attacks. ASE 05 Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering (pp. 174-183). Long Beach, California, USA: ACM. Karaarslan, E., Tuglular, T., & Sengonca, H. (2008). Enterprise Wide Web Security Infrastructure. Ulak-CSIRT, TUBITAK – ULAKBIM, Turkey. Kolodgy, C. J. (2011). The Case for Building in Web Application Security from the Start. Framingham, MA, USA: IBM. Laudon, K. C., & Laudon, J. P. (1999). Management Information Systems, Sixth Edition. New Jersey: Prentice Hall . Lebanidze, E. (2010). Securing Enterprise Web Applications at the Source: An Application Security Perspective. The Open Web Application Security Project. Needham, P., & Iyer, S. (2003). Oracle Database 10g Security and Identity Management. Redwood Shores, CA, USA: Oracle Corporation. Royal Technologies. (2011). MySQL Security Tips . Retrieved April 23, 2014, from http://www.royalit.net/index.php?option=com_content&view=article&id=7&Itemid=9 Smith, M. (2004, September 10). Top 10 Web Security Tips. Retrieved April 22, 2014, from ColdFusion Developers Journal: http://coldfusion.sys-con.com/node/46366 Tech-FAQ. (2011). Denial of Service (DoS) Attacks. Retrieved May 03, 2014, from http://www.tech-faq.com/denial-of-service-dos-attacks.html Turban, E., Leidner, D., McLean, E., & Wetherbe, J. (2005). Information Technology for Management: Transforming Organizations in the Digital Economy . New York: Wiley. Watson Hall Ltd. (2008, September 11). Web Site and Web Application Security. Retrieved May 02, 2014, from https://www.watsonhall.com/secure-development-and-compliance/ Read More