Protecting Web Applications

Is a matter of fact that the majority of web applications born insecure, despite the widespread usage of SSL mechanic and the continuous adoption of PCI scanning. More than 80% of Web sites have some kind of vulnerability. This doesn´t mean that SSL is a bad technology; SSL protects integrity and confidentiality of data in transit between web-server and client´s browser providing assurance to the user of the identity of the web server he is dealing with but fall far from stopping attacks performed directly over server of client components of web applications

The incidence of some common web application vulnerabilities like Cross-site request forgery (CSRF), Cross Site Scripting (XSS), Broken Authentication or even Broken Access Controls, show the following unexpected results:

1. Broken authentication (62%) — Includes all defects related with web-application´s logic mechanism
2. Broken access controls (71%) — Includes all cases where web application fails in protect the access its data and flows creating a breach for attackers to view user´s sensitive data
3. SQL injection (32%) — This vulnerability allows attackers to run crafter queries to web-application backend
4. Cross-site scripting (94%) — includes those cases in which an attacker to target other web application users gaining access to their data and performing unauthorized actions on their behalf. According to OWAS Top10
5. Cross-site request forgery (92%) —Through this vulnerability web-application users can be induced to do unintended actions over web-application within their user context and privilege level

From a high perspective core security problem for web applications has do with situations in which web applications must accept and process untrusted data that can be malicious. This is leveraged if we take into account common factors that apply to software development like

• Underdeveloped Security Awareness: Awareness of web application security issues fall far than other security areas like networks or operating systems. It´s usually difficult find development team with proper security knowledge. In most cases development is done under the erroneous assumption that third-party plugins and your main programming framework provide the required security level.

• Over-Extended Technologies: Some common technologies used in web-application development have been extended beyond related a healthy bound which has led to security vulnerabilities. One example can be found with the use JavaScript as a means of transmission for Ajax applications.

• Resource and Time Constraints: Many web applications are developed under special economic and time restrictions. It´s obvious that the need of creating a functional and stable web application usually takes precedence against less intangible security matters.

Iridium helps you to make your software self-protected by providing the first-class security protection of Hdiv products. We think that every business becomes a software business. Nowadays business software remains as leading source of data breaches.  At Iridium we mitigate security risks creating self-protected architectures. Security products from our partners are properly integrated into SLDC providing protection at low level. This approach not only reduces cost of having WAFs and their maintenance it also has clear security advantages because it doesn´t rely on WAF common features.

At the same time, products from Iridium enable our Customer DevOps Teams to provide Security as Code guiding them to build proper DevSecOps rules.

(IAST) Interactive Application Security Testing

(RASP) Runtime Application Self Protection