This content is part of the Essential Guide: How to craft an application security strategy that's airtight

How to resolve a Web application security vulnerability

Web application security vulnerabilities can exist from browser to SSL/TLS. Expert Brad Causey explains how application security testing and Web application firewalls can address this.

As Web-based application deployments have grown exponentially during the past decade, so have security concerns...

with all points involved in the delivery of those applications. In this tip, we will discuss the roles of application security testing and Web Application Firewalls (WAFs). Find out why each is important, and how they can combine and complement each other, to mitigate a Web application security vulnerability and strengthen your overall application security posture.

From the Web browser to the SSL/TLS protocols to the Web application itself, the industry has been fighting to secure the mechanisms through which the application layer can be exploited. Enterprises won't be able to prevent every zero-day or creative exploit, nor should they try. Instead, focus should be on what can be done by application owners and developers to secure their applications from attackers and protect their users from undue risk.

Web application security testing

There are a couple of places to start, but two stand out. The first, application security testing, is certainly the most effective way to detect, fix and resolve a Web application security vulnerability.  

As part of a secure software development lifecycle (SDLC), Web application testing can detect security issues early in the cycle or later in acceptance testing, depending on the method used. Static code analysis produces a lot of false positives, but provides the most comprehensive view -- earlier than other types of testing. Dynamic testing results in more concrete findings, but can be time consuming, and its findings are not always comprehensive. Ideally, a combination of both static code analysis and dynamic testing, discussed further below, balance their advantages and will significantly augment the security posture of your applications.

The trouble, though, is that in-depth application testing isn't always possible, due to time constraints, license agreements or code availability, among various other reasons. Because of this, WAFs offer another viable option for preventing Web application security vulnerabilities.

Web app firewalls

WAFs can be integrated or stood up in front of your application to quickly reduce your application's exposure to attack, although this option isn't without compromise.

WAFs work by standing between the user and the application, and that will cause performance issues and also require time and expertise to deploy. Bear in mind that a WAF is also not a silver bullet. Most WAFs will do a stellar job in catching obvious attacks, such as SQL injection or cross-site scripting. Issues such as business-logic bypasses or functional issues will have to be addressed through code or custom rules in your WAF -- don't forget this important step, as these issues can be just as harmful to application security as a traditional security "bug" may be.

The great thing, though, about WAFs is that they are relatively quick to install and can work to shore up your application's security, even if you don't have the ability, time or permission to perform static or dynamic analysis.

The security one-two punch

A third, even better, option is a combination of software security best practices during the design and development of the applications, as well as application security controls after the Web app is implemented. Why not have both?

Integrate security into application design, coding and testing phases; many organizations have created blueprints for establishing a comprehensive, effective SDLC. Inevitably, a Web application security vulnerability will be discovered after they are in production environments, some of which will be easier to patch than others. That's where the WAF comes into play, buying your organization some time to sort out any security issues that are discovered after the development phase by preventing exploitation until they can be permanently resolved.

These two methods of minimizing application risk actually go quite well together. In many cases, companies will roll out the security patch or fix in the next release, while defining specific rules within the WAF to address those issues. This is especially useful for security issues that require major effort to resolve.

Next Steps

Read about the state of Web application security

Learn how to carry out effective penetration testing for Web application security

What application security tools did our readers pick as the best?

This was last published in May 2016

Dig Deeper on Application firewall security