Click here to close now.

Welcome!

Microservices Expo Authors: Elizabeth White, Jason Bloomberg, Pat Romanski, Liz McMillan, Carmen Gonzalez

Related Topics: Microservices Expo, Cloud Security

Microservices Expo: Article

Common Web Application Security Vulnerabilities and Mitigation

It's easy to avoid common vulnerabilities with little precaution

Web applications are vulnerable to a multitude of security attacks. This exposes the underlying businesses and the consumer data to public view. However it is a common observation that web developers hardly take any preventive steps to secure their web applications.

Most of the time web application developers focus only on authentication and authorization to secure the web applications. This may be a viable approach for designing an intranet application. However, for the Internet application, multiple programming practices need to be followed to prevent such attacks.

This article details in brief the various security vulnerabilities web applications face and how they can be mitigated.

Bypassing Input Validation
Generally developers validate the user input using JavaScript validations. Once the information is sent to the server side, developers do not validate again, since they assume that JavaScript validations can block all invalid data.

Hackers, however, can simply save the page to their local hard disk and modify the JavaScript to not do the validation. They can then submit the page.

Mitigation
All input should be validated twice - first on the client side and then on the server side. Client-side validation is done using Java Script. The server-side validation is done using the respective server-side technology like Java, .NET or PHP

SQL Injection
An attacker can submit input that would pass the JavaScript and server-side validation. However, the input is actually an SQL query. Since the input is used to construct the SQL queries, such an input would alter the SQL query and give unauthorized information back to the attacker.

Mitigation
Use Prepared Statements to fire queries. Don't use string concatenation with the user input to create dynamic queries

Unprotected Resources
The attacker can guess the URLs of unprotected resources. Such information can be divulged by reading the code comments or it could be guessed.

Mitigation
All web content must be protected by authentication. In the case of Java web application programming, keep all the unprotected and sensitive code under WEB-INF. A similar solution exists for PHP and other server-side technologies.

Reverse Engineering
For rich client applications such as those using Java Applets, Adobe Flex, Microsoft Silverlight, etc., the entire byte code gets transmitted to the client side. An attacker can decompile the byte code and gain sensitive information.

Mitigation
The client-side code shouldn't contain any business logic. It also shouldn't contain business logic validation. The code should be obfuscated before sending to the client.

Weak Authentication
Many times attackers can gain access to a secure website by using common terms like ‘admin,' ‘test,' etc. Developers often use these user names and passwords for testing purposes and often forget to remove them from the production systems.

Mitigation
Developers should not be given access to a production database for testing purposes. All testing must happen in UAT and it should use real user names and passwords.

Cross-Site Scripting (XSS)
When you open two websites in two different browser tabs, you don't expect one website on a given tab to steal your passwords from another tab.

However, this is possible, if you are using an old version of the browser or if you're using an infected browser

Mitigation
Encourage users to upgrade to the latest version of the browsers. Also technologies that use secure sandboxing such as Java Applets and Adobe Flex and many others should be used for creating rich-client applications.

Conclusion
About 80% of all web security breaches can be prevented by addressing the above vulnerabilities. A regular code review is very much required to correct the oversight on the part of programmers.

There are also various tools available that will detect the common vulnerabilities for you. Many of these tools, however, generate false positives and need substantial time to separate false positives from real alerts.

Ultimately these tools can't fix the code. That has to be done by the developer. Thus, appropriate review procedures must be established and awareness should be propagated to educate developers on the vulnerabilities and their mitigation.

More Stories By Mahesh K Punjabi

Mahesh K Punjabi is a senior technology architect with Infosys Technologies Ltd. He has extensive experience designing enterprise applications using Java and multitude of RIA technologies including Flex and GWT. His other passions include photography and speaking with Toastmasters' clubs.

@MicroservicesExpo Stories
The cloud has transformed how we think about software quality. Instead of preventing failures, we must focus on automatic recovery from failure. In other words, resilience trumps traditional quality measures. Continuous delivery models further squeeze traditional notions of quality. Remember the venerable project management Iron Triangle? Among time, scope, and cost, you can only fix two or quality will suffer. Only in today's DevOps world, continuous testing, integration, and deployment upend...
Microservices are individual units of executable code that work within a limited framework. They are extremely useful when placed within an architecture of numerous microservices. On June 24th, 2015 I attended a webinar titled “How to Share Share-Nothing Microservices,” hosted by Jason Bloomberg, the President of Intellyx, and Scott Edwards, Director Product Marketing for Service Virtualization at CA Technologies. The webinar explained how to use microservices to your advantage in order to deliv...
Countless business models have spawned from the IaaS industry. Resell Web hosting, blogs, public cloud, and on and on. With the overwhelming amount of tools available to us, it's sometimes easy to overlook that many of them are just new skins of resources we've had for a long time. In his General Session at 16th Cloud Expo, Phil Jackson, Lead Technology Evangelist at SoftLayer, broke down what we've got to work with and discuss the benefits and pitfalls to discover how we can best use them to d...
Public Cloud IaaS started its life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in adop...
SYS-CON Media announced today that CloudBees, the Jenkins Enterprise company, has launched ad campaigns on SYS-CON's DevOps Journal. CloudBees' campaigns focus on the business value of Continuous Delivery and how it has been recognized as a game changer for IT and is now a top priority for organizations, and the best ways to optimize Jenkins to ensure your continuous integration environment is optimally configured.
Live Webinar with 451 Research Analyst Peter Christy. Join us on Wednesday July 22, 2015, at 10 am PT / 1 pm ET In a world where users are on the Internet and the applications are in the cloud, how do you maintain your historic SLA with your users? Peter Christy, Research Director, Networks at 451 Research, will discuss this new network paradigm, one in which there is no LAN and no WAN, and discuss what users and network administrators gain and give up when migrating to the agile world of clo...
In my last Cortex newsletter, I discussed the history of Conway’s Law, and took a close look at how this erstwhile law can help us understand the reorganizations and deeper cultural shifts behind devops and digital transformation. The law – “any organization that designs a system will inevitably produce a design whose structure is a copy of the organization’s communication structure” – is more of an observation of correlations between system designs and communication structures, rather than any...
DevOps tends to focus on the relationship between Dev and Ops, putting an emphasis on the ops and application infrastructure. But that’s changing with microservices architectures. In her session at DevOps Summit, Lori MacVittie, Evangelist for F5 Networks, will focus on how microservices are changing the underlying architectures needed to scale, secure and deliver applications based on highly distributed (micro) services and why that means an expansion into “the network” for DevOps.
In the midst of the widespread popularity and adoption of cloud computing, it seems like everything is being offered “as a Service” these days: Infrastructure? Check. Platform? You bet. Software? Absolutely. Toaster? It’s only a matter of time. With service providers positioning vastly differing offerings under a generic “cloud” umbrella, it’s all too easy to get confused about what’s actually being offered. In his session at 16th Cloud Expo, Kevin Hazard, Director of Digital Content for SoftL...
"Plutora provides release and testing environment capabilities to the enterprise," explained Dalibor Siroky, Director and Co-founder of Plutora, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the ...
In their general session at 16th Cloud Expo, Michael Piccininni, Global Account Manager - Cloud SP at EMC Corporation, and Mike Dietze, Regional Director at Windstream Hosted Solutions, reviewed next generation cloud services, including the Windstream-EMC Tier Storage solutions, and discussed how to increase efficiencies, improve service delivery and enhance corporate cloud solution development. Michael Piccininni is Global Account Manager – Cloud SP at EMC Corporation. He has been engaged in t...
SYS-CON Events announced today that kintone has been named “Bronze Sponsor” of SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. kintone promotes cloud-based workgroup productivity, transparency and profitability with a seamless collaboration space, build your own business application (BYOA) platform, and workflow automation system.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading in...
There's a lot of things we do to improve the performance of web and mobile applications. We use caching. We use compression. We offload security (SSL and TLS) to a proxy with greater compute capacity. We apply image optimization and minification to content. We do all that because performance is king. Failure to perform can be, for many businesses, equivalent to an outage with increased abandonment rates and angry customers taking to the Internet to express their extreme displeasure.
The most often asked question post-DevOps introduction is: “How do I get started?” There’s plenty of information on why DevOps is valid and important, but many managers still struggle with simple basics for how to initiate a DevOps program in their business. They struggle with issues related to current organizational inertia, the lack of experience on Continuous Integration/Delivery, understanding where DevOps will affect revenue and budget, etc. In their session at DevOps Summit, JP Morgenthal...
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud envir...
In the last blog we started the conversation on our findings from @Cloud Expo 2015 and @ThingsExpo 2015 as the industry came together to explore the impact of Cloud and Internet of Things (IoT) on business models as we know them. While often the focus of IoT are consumer services and the sometimes over-simplification of what constitutes an IoT company or service, one area there is no disputing is the significant advancement in the Industrial Internet (a term made popular by GE). Ongoing improvem...
Software is eating the world. The more it eats, the bigger the mountain of data and wealth of valuable insights to digest and act on. Forward facing customer-centric IT organizations, leaders and professionals are looking to answer questions like how much revenue was lost today from platinum users not converting because they experienced poor mobile app performance. This requires a single, real-time pane of glass for end-to-end analytics covering business, customer, and IT operational data.