Up at 5AM: The 5AM Solutions Blog

Implementing Web Application Security - Some Case Notes

Posted on Thu, Oct 20, 2011 @ 06:00 AM

National Cyber Security Awareness MonthOctober 2011 marks the eighth annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Though the month is geared mostly toward informing and empowering individual consumers, as software developers, here at 5AM we take our responsibility to ensure that the applications we create are as impervious as possible to web-based security threats while balancing the need for them to be useful, usable, and used. Among our many clients, 5AM currently develops software products for the National Cancer Institute (NCI)-- including caArray, caIntegrator, CTRP, and FIREBIRD. Each of these products include a web interface component where cyber security is absolutely imperative.

One way we ensure secure operation is by leveraging a tool called the IBM Rational AppScan. AppScan probes an application for vulnerabilities by mounting attacks against it--attacks such as those listed on the Web Application Security Consortium site. A scan is performed prior to the latest release and can be performed at unscheduled times at the request of the product team. Using AppScan, some of the previous threats detected and subsequently fixed include SQL Injection, Session Fixation, and Cross Site Scripting. More recently, some of our development teams have focused on implementing a fix for Cross Site Request Forgery or CSRF.


There are a number of measures that can be taken to prevent CSRF. Some of these, such as setting a reasonable timeout for login sessions, mitigate the threat but do not eliminate it. Others, such as checking the "Referer" header value in the HTTP request, cannot be relied upon in certain situations. There seems to be a consensus that the best solution relies on non-cookie based request tokens. For examples, check out https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet and http://www.cgisecurity.com/csrf-faq.html#referer.

For those of you using Struts 2 as your server-side web application framework (as we often do), Struts 2 provides a way to:
1. Easily generate unique tokens by using the "token" tag.
2. Provide a way to easily verify that a token is valid, through the use of the Token Session Interceptor.
A good article that explains how to use the above techniques to prevent CSRF can be found here: http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html.

What techniques or applications have you used to help ensure maximum security in your development projects? What is the greatest challenge you have faced in doing so? We would love to hear your thoughts, so feel free to use the comment section below.

-Andrew Sy, 5AM Solutions

Tags: web-based security, cross site request forgery, appscan, national cyber security awareness month, cyber security

GET OUR BLOG IN YOUR INBOX

Diagnostic Tests on the Map of Biomedicine

MoBsmCover

Download the ebook based on our popular blog series. This free, 50+ page edition features updated, expanded posts and redesigned, easier-to-read maps. 

FREE Biobanking Ebook

Biobanking Free Ebook
Get this 29 page PDF document on how data science can be used to advance biorepositories.

 Free NGS Whitepaper

NGS White Paper for Molecular Diagnostics

Learn about the applications, opportunities and challenges in this updated free white paper. 

Recent Posts