Indeed, after defining these security criteria, you need to put in place some technical rules to protect your applications. Today, I want to return to the essential questions to ask to protect a web application.
Why is it so important to secure a web application?
Servers and networks are getting better protected. As a result, vulnerabilities have shifted to a more sensitive link: web applications. You often encounter web applications: when you log on to your bank’s website to see your account balance, or when you make a purchase online. In both cases, and in many others, the online application you access may contain confidential data. It should therefore be provided with a maximum level of security.
What architecture for a web application?
Applications are usually hosted in a three-layer model (said 3-thirds).
- The presentation layer: it’s the user interface
- The “business/application” layer: accessed from the presentation layer, it processes information
- The data layer: it’s the storage of information, accessed by the application layer
Controlling the network flows within this 3-thirds architecture is essential.
Install a network firewall and use DMZs
Setting up a network firewall is essential for partitioning layers within different demilitarized zones (DMZs). It is important to control the opening of flows on these firewalls. For example, it is absolutely not advisable to open streams from the Internet to the “data” layer, which would be contrary to the security of the 3-thirds model because the “presentation” and “application” layers are bypassed.
It is also important to ensure that intercloud flows are encrypted using protocols such as HTTPS. This avoids attacks from the middle man within this model. It should be noted that it is very important to educate users to check the website certificate. This prevents a user from being on a pirate site.
Limiting risky protocols
Some protocols that are heavily used in Microsoft environments are vectors of viral spread. For example, the Netbios protocol should be avoided within an infrastructure. If, however, this type of flow must be opened, it is necessary to perfectly mix the various elements and to put in place an action plan in case of viral attacks (for example, the possibility of being able to stop this type of flow quickly in case of danger using a separate administrative post). The implementation of IPS is also an interesting way to counter attacks that could be conveyed by this type of flow.
How to secure the web application at the architectural level?
The traditional firewall doesn’t study the content of streams that enter your architectures, it only allows or blocks them based on where they come from. If the source is legitimate but the content of the stream is corrupted, then the risk is real and not detectable by the stream.
Install an application firewall (WAF)
This equipment is deployed upstream of the presentation layer to filter out potential application attacks, such as SQL Injection or XSS faults.
The application firewall protects against the vulnerabilities of the Open Web Application Security Project (OWASP), an organization that identifies the ten most critical application security risks on the Internet.
How does an application firewall (WAF) work?
The application firewall is placed in front of the presentation layer. All HTTP and HTTPS application streams go through it before accessing the presentation layer of the application.
Filtering is done in two ways: either by whitelist or by blacklist.
- The white list: the safest but the most difficult to set up
Its purpose is to allow only safe traffic and to block everything else (just like a network firewall). This is a difficult task for applications that generate a lot of random data. Moreover, it is almost impossible to know all the good traffic, which can create false positives. A poorly generated white list may affect the operation of the application.
- The blacklist: the simplest but most sensitive
When the white list is too complex to determine, then you should opt for the blacklist.
Its operation is reversed and consists of blocking all the bad traffic identified and allowing the rest. Application firewalls now have complementary features, such as web reputation, to complement this mechanism and be more efficient.
Last question: Is it necessary to encrypt the application data?
I would say it all depends on what you want to protect yourself from. Data encryption, in my view, serves only to guard against physical theft. Encryption does not in any way prevent the deliberate theft of an administrator, as it has access and will therefore have access to the decryption of the data.
A hacker who accesses the app will also have access to data and decryption keys. Moreover, the cost of this encryption and the organization to be set up does not systematically justify it.
On the other hand, on a nomadic equipment, the interest of encrypting is quite different.
In conclusion, I will say that web applications are a gateway to your information systems. Implementation of these good practices will cover most of the risks.