The first two steps in detecting and preventing web application security threats are intrusion prevention and penetration testing. They are both broad terms describing application security practices used to mitigate attacks and block new threats.
With web assets constantly under threat from malicious malware and various threat agents, web application security is an important area for the business.
An intrusion detection system (IDS) is either a hardware device or software application that uses known intrusion signatures to detect and analyze inbound and outbound network traffic for unusual patterns and activities.
It’s a responsive measure that identifies and mitigates ongoing attacks. An IDS is designed to weed out existing malware such as Trojans, backdoors and rootkits, and detect social engineering (e.g. man in the middle and phishing) assaults that trick users into revealing sensitive information.
Intrusion prevention applications look for any type of abnormal activity like security policy violations, viruses or configuration errors. This is accomplished through:
- System file comparisons against malware signatures
- Scanning processes that detect signs of harmful patterns
- Monitoring user behavior to detect malicious intent
- Monitoring system settings and configurations
An IDS has many benefits, but it does have some drawbacks. Because it uses previously known intrusion signatures to locate attacks, zero-day threats can remain undetected. In addition, an IDS can only detect ongoing attacks, not incoming assaults.
To successfully block these vulnerabilities, a complementary intrusion prevention system (IPS) is needed. It proactively inspects incoming traffic to filter out malicious requests. Typically, an IPS uses web application firewalls and traffic filtering solutions to secure applications.
As the name implies, an intrusion prevention system alerts security personnel to potential threats. It usually piggybacks on a preexisting database for signature recognition and can be programmed to recognize attacks based on traffic and behavioral anomalies.
An IPS is effective at blocking known attack vectors, but like an IDS it comes with some limitations. These limitations are commonly caused by an overreliance on predefined rules. This makes them susceptible to false positives.
A penetration test or pen test is a proactive security measure that uses the previously discussed intrusion prevention system to preemptively block application attacks. This includes remote file inclusions that facilitate malware injections and SQL injections used to access an enterprise’s databases.
Insights gleaned from the pen test can be used to fine tune web application firewall security policies and patch detected vulnerabilities. It’s an important part of proactive web application security measures.
Penetration testing is a five-stage process.
- Planning and reconnaissance. The first step defines the scope of the test, including the systems to be addressed and the testing methods to be used. It also gathers intelligence to better understand how a target works and its potential vulnerabilities.
- Scanning. The next step is to understand how the target application will respond to a variety of intrusion attempts. Static analysis helps to estimate an application’s code while in operation. And dynamic analysis inspects the apps code in a running state.
- Gaining access. The third step uses web application attacks to uncover a target’s vulnerabilities. Testers subsequently try to exploit these vulnerabilities to understand the damage they can cause.
- Maintaining access. Next, the goal is to see if the vulnerability can be used to achieve a persistent presence in the exploited system. The goal is to imitate advanced persistent threats that often linger in a system for months.
- Analysis. The fifth and final step compiles the data into a report detailing vulnerabilities that were exploited, sensitive data that was accessed, and the amount of time the pen tester was able to remain in the system undetected. The intel is analyzed by security personnel to help configure a WAF security solution.
This five-step testing process is a common model for pen testers chosen primarily for the proven methods involved.
External testing, for example, targets the assets of a company that are visible on the internet. Conversely, internal testing simulates an attack by a malicious insider.
Other methods include: Blind testing which gives security teams a real-time look into how an actual application assault takes place, and double-blind testing which launches an unexpected attack on the site.
The final penetration testing method is known as targeted testing. In this scenario, both the tester and security personnel work together to keep each other appraised of the situation. It’s a valuable training exercise that gives security teams real-time feedback from a hacker’s perspective.
And finally, for many kinds of pen testing, the tester is likely to use data from their web application firewall (WAF) to locate and exploit an application’s weak spots. This in turn helps WAF administrators benefit from pen testing data. As mentioned earlier, web application firewall configurations can be updated to secure against the weak spots discovered in any test.