Web 2.0 Security Part 5: Strategies to CUT RISK

posted on Monday, July 23, 2007 8:29 AM

Over the past few weeks we've examined the issues inherent with Web 2.0 and in particular AJAX-based applications. These issues need to be dealt with, but they should not be considered "show stoppers" to moving ahead with your Web 2.0 initiative. Consider the security ramifications of the design, implementation, and deployment of your new application carefully. Build security into your new application up front and you'll certainly be able to decrease the potential risks associated with this growing technology.

Consider the following methods to CUT the RISK associated with deploying Web 2.0 applications:

•Check VA tools for AJAX support. Validate that the assessment and test tools you use to verify the security of your applications are capable of:

Interpreting and evaluating dynamic URLs from JavaScript

Creating (or capturing at a minimum) requests in the appropriate markup languages

JSON, XML, D/HTML

•Understand the application. Document and examine regularly:

Scripts associated with the application

Data sources accessed

Access patterns

Cookies used

•Trust no client. Implement policies that assumes the request is coming from an attacker

Validate input

Validate request

Validate client

•Reduce the number of scripts. If possible, reduce the number of scripts/applications to reduce the entry points through which attackers can gain entry/access to the application
•Invest in a web application firewall. Web Application Firewalls mediate between client and server and provide:

Application security through request verification

Client security through response verification

Not a panacea, but a first line of defense

Cannot stop logic layer attacks

•Secure sensitive data using SSL.

SSL for transport layer encryption

Cookie encryption

•Kick back suspicious data. Data Integrity should be validated on both request and response

Stop sensitive data from leaving the organization

Stop malicious data and code from entering the organization

Choose from one or more options: code (custom), software, hardware

Imbibing: Coffee

Technorati tags: F5, MacVittie, Web 2.0, security, AJAX, application security, javascript

Posted In: Web 2.0, Security,

One Comment

Feedback

12/13/2007 7:03 AM
		Useful information,thanks for participating.
hicivler

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:

Name:

Email: (so we can show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Remember Me?

Enter the code shown above:

Please add 4 and 6 and type the answer here:

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0
		F5 Friday
		Data Center Feng Shui
		Dynamic Infrastructure
		Load balancing
		Service Providers
		1024 Words
		v10.2.2
		v11
		JSON
		HTML5
		Mobile
		iApp
		Availability
		Storage
		DDoS
		AppSec
		TradSec
		Marketing Madness

		February, 2012 (6)
		January, 2012 (13)
		December, 2011 (9)
		November, 2011 (12)
		October, 2011 (14)
		September, 2011 (14)
		August, 2011 (16)
		July, 2011 (12)
		June, 2011 (14)
		May, 2011 (12)
		April, 2011 (16)
		March, 2011 (16)
		February, 2011 (12)
		January, 2011 (14)
		December, 2010 (12)
		November, 2010 (14)
		October, 2010 (14)
		September, 2010 (13)
		August, 2010 (13)
		July, 2010 (18)
		June, 2010 (22)
		May, 2010 (22)
		April, 2010 (19)
		March, 2010 (23)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)