Why does computer infrastructure security remain such a daunting subject? One reason may be the breadth of devices and service one must consider when designing and maintaining a good security posture. Here’s one example. Let’s say we are a large retailer and have a large online presence, including ecommerce. Let’s now think about our security posture. The IT department gives us a check list: Firewalls (check), Intrusion Protection (check), Secure Operations Systems (check), SSL Certificates (check)… you get the picture, right? Now we are off to the races. Producing online revenues, in a very secure environment, management is happy. Things are great.
Now let’s fast forward to July 5, 2013 as five residents of Russia and the Ukraine are indicted in a massive international hacking scheme. Worse yet, our fictitious online retail site was a target. While our site may be fictitious, the indictment is not. The hacking ring was responsible for an estimated $300 million in losses over a seven-year period. The targets were major players each with strong security practices including NASDAQ, JC Penny, Discover Bank, Dow Jones and others.
How can this happen? IT assured us we were secure. But, the one thing that wasn’t secure was the application itself. This security indictment indicates that in most cases the hackers used SQL injection flaws to gain entry to, and deposit malicious code onto, otherwise secure systems. This method of hacking has been well documented over the years and should certainly be no secret to anyone with access to Wikipedia.
The fix for this can be tackled on two fronts. First, application code should parse all database queries, stripping out special characters and cleaning out malicious patterns. Second, employ a web application firewall to help catch things the developers haven’t thought of. Typically a web application firewall (WAF) monitors calls made by the application potentially blocking input, output or even system service calls which do not meet configured policy or which are malicious in nature.
Whether protecting in code, via a WAF, or both, don’t forget that the security of the application itself is every bit as important as rest of the security infrastructure. To find more information, check out the Open Web Application Security Project (OWSAP) at www.owasp.org.