Security Manager's Journal: Assessing Web-facing apps

When you're in charge of a company's security, you have to actively seek out its weaknesses and then determine how to shore them up. That's what I've been up to lately, as an an offshoot of my efforts to harden the DMZ.

Trouble Ticket

At issue: A vulnerability assessment uncovers several potential problems.

Action plan: Recommend fixes and keep an eye on things to make sure they're taken care of.

Globally, we have about 40 servers in our DMZ. I'm fairly confident that they are locked down, patched and protected with anti-malware software. I'm also fairly confident that the DMZ firewalls are properly configured to minimize our exposure. What I am not confident about is the security of the applications residing on those servers. We have too many Internet-facing apps that haven't been properly vetted by me and my team. Part of the problem is that during the past couple of years, our company has made several major acquisitions without conducting security due diligence.

Prodding me to action was the recent rash of hacks, most of them owing their success to poorly architected Web-based applications. Each quarter, I have a budget line for "penetration and vulnerability assessments." Because our physical security program is extremely weak, I've been spending that money on physical penetration testing. But that has become an exercise in paying someone to tell me things I already know. For example, I didn't really need to spend $20,000 for a consultant to tell me that he could create a fake company badge and piggyback behind someone else to gain access to our facilities. So this quarter, I decided to spend the money on a third-party assessment of our Internet-facing applications.

Right off, the consultant found that an e-commerce application would allow a customer to obtain software without paying for it just by modifying a URL. Since the problem is so similar to one I myself warned about in my recent article about enterprise search, it was very embarrassing.

The assessment also revealed that in another of our Web-based applications, someone could intercept and then manipulate password-reset traffic to change a customer's password. Ouch!

Yet another application runs on top of a popular social collaboration platform, allowing users to share documents. The environment is open, meaning anyone can join and share information or download our product documents. The ugly discovery was that anyone could download a document, make changes to it and then upload it back to the same location with the same name. This could prove disastrous if changes were made to our products' specs. Fortunately, this issue was remedied with a simple configuration change -- but again, it was embarrassing.

Another problem was found in an application that has been capturing customer information without SSL encryption. We've been doing a good job of encrypting the initial log-on page, but the rest of the application wasn't encrypted.

There was good news as well. Our applications didn't seem to be susceptible to SQL injection, which has been a factor in many recent attacks.

On the other hand, we were susceptible to many variations of cross-site scripting, another popular method of attacking companies.

I'll be presenting the results of this assessment to the various application groups. After that, I'll strip out the good stuff and prepare a remediation tracking spreadsheet that describes each issue (with reference to the appropriate section of the comprehensive assessment report) and lists remediation recommendations, due dates and the person responsible for eliminating the problem. The spreadsheet will make it easy for me to tell at a glance the status of each issue.

And, of course, I'll be briefing our application team to ensure that we don't make the same mistakes as we develop or acquire other applications.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place