Java Reference
In-Depth Information
It must be noted that vulnerability assessment and penetration tests for Web applications
performed at this stage are mostly performed as a last-minute check to ensure that the application
is not vulnerable in a production environment. By the time black-box testing like VA and PT are
carried out, it is imperative that thorough code reviews and other white-box testing procedures be
carried out, eliminating the majority of the application's vulnerabilities.
It would be worthwhile if the vulnerability assessment and penetration testing are performed
both by an external party as well as by the organization's internal stakeholders. he beneit of
this activity is that the application is assessed for vulnerabilities both from the external world (the
Internet) as well as from the internal network (the corporate LAN); because critical information
is to be protected against malicious insiders and outsiders, vulnerability assessments and penetra-
tion tests performed from both these perspectives provide a greater degree of assurance of the
Web application's security implementation. Another tangible beneit of engaging external parties
to carry out the VA and PT is that they provide an objective and comprehensive view of the Web
application's security functionality. In several cases, internal reviews might be focused on speciic
areas of security, ignoring several other possibilities. By engaging a third party, vulnerabilities in
the other elements of the Web application may be uncovered, thereby providing a more compre-
hensive view of the Web application's security implementation.
11.2.1.5 Coniguration Management Testing—
During Testing and Deployment
Although Web applications are developed with ideal access control, encryption, logging, and
secure coding practices, if the application is conigured in a nonsecure manner for use, then
it could result in the application being open to various kinds of attacks. Coniguration of the
Web application includes coniguration of its underlying platform infrastructure like the Web
server/application server, the database, the ile system, the operating system, and the network.
All these elements must also be conigured so that the Web application is secure. Nonessential
services for these elements should be disabled and unnecessary interfaces providing access to
the application or its systems should be avoided. Issues like default user names and passwords,
nonsecure services, and root privileges are some of the vulnerabilities that are found in the Web
application and its underlying elements. Coniguration management testing aims at checking
these platform elements for nonsecure conigurations and ensuring that these elements are not
vulnerable.
Patch management is also an important consideration for Web application platform elements
like Web servers, application servers, and databases. Every so often it is seen that exploits for Web
servers, application servers, databases, and operating systems are being written because of a certain
vulnerability found in that version of the program. Platform vendors release patches to protect
against these exploits once they understand the exploit, and it is important that organizations
apply these patches to remain secure against exploits that alict these platforms.
Coniguration management also extends to coniguration that may be performed in the Web
application itself. For instance, certain Web applications allow password management features
like password strength, complexity, password history, and lockout attempts to be set in an admin-
istrative interface of the Web application. It is also important that such coniguration aspects are
secure, and it is up to coniguration management testers to ensure that security coniguration set-
tings present inherently as part of the Web application are enabled/disabled as necessary to achieve
optimal security.
Search WWH ::
Custom Search