Application Level Security Management

Diplomarbeit von Michael Neuhaus

Abstract:

Today, more and more enterprises are developing business applications for Internet usage, which results in the exposure of their sensitive data not only to customers, and business partners but also to hackers. Because web applications provide the interface between users sitting somewhere within the World Wide Web and enterprises’ backend-resources, hackers can execute sophisticated attacks that are almost untraceable, aiming to steal, modify or delete enterprises‘ vital data, even when it is protected by passwords or encryption.

As recent viruses and worms such as Nimda, CodeRed or MSBlast have shown, modern attacks are occurring at the application itself, since this is where high-value information is most vulnerable. Such attack scenarios a becoming very problematic nowadays, since traditional network security products such as firewalls or network intrusion detection systems are completely blind to those malicious activities and therefore can not offer any protection at all. Modern protection mechanisms require more sophisticated detection capabilities in order to protect enterprises assets from such attacks now and in the future.

Additionally web application security currently is a highly dynamic and also very emerging field within enterprises’ IT security activities. Therefore this diploma thesis aims to provide a strong focussed picture on the current state of web application security and its different possibilities to raise the overall security level of already implemented web applications and also of future web applications.

Acting as a basis for further analysis, the currently most common web application vulnerabilities are described to get an overview of what a web application has to be protected of and where the root problems of these weaknesses are lying. Although these generic categories may not be applicable to every actually implemented web application, they may be used as baseline for future web applications.

Armed with the background of the current vulnerabilities and their related root causes, a detailed analysis of currently available countermeasures will provide recommendations that may be taken at each of the certain stages of a web application’s lifecycle. Since all further decisions generally should be based upon risk evaluations of specifically considered systems, a possible risk management assessment methodology is provided within the thesis.

Controls and countermeasures are provided from an attack’s timeline perspective, describing preventive countermeasures attached to each certain stage within the web application lifecycle and also different protective controls which are actively capable to defend enterprises from being successfully attacked. These countermeasures are analyzed form a functionality point of view, followed by currently available products providing such dedicated mechanisms. If available, such products and technologies were additionally judged with analyst’s perspectives for the provision of a more prospective view on current possibilities and future opportunities.

Table of Contents: