As emphasized in the “Understanding Web Security” page, the key to Web security is Web application security, as well as web security solutions. Web application security also requires a thorough understanding of the web application’s administrator; secure security is assured when deployments are achieved.
Let’s take a closer look at web application security and introduce some of the most important web security solutions that are really needed to build application security. Let’s look at each role and its functions.
Web application security and web security solutions
Application security needs to take care of everything from the initial development phase to the post-deployment maintenance. However, it is true that many people find it difficult to build Web application security due to lack of understanding of the solution’s functionality or where it is introduced. However, it can be easily understood by analogy to web application security and building a house where each solution works.
Web application security solution diagram
(web application consists largely of “web application server” and “DB”)
Secure Coding Secure Coding
The development stage can be thought of as the process of building a house. When building a house, you must build a strong, secure brick house on a solid foundation. Think of it as an application, it’s like secure coding with secure sources and programs, eliminating code that can be exploited by vulnerabilities.
Secure coding refers to a method of writing code that considers security from the design stage in order to minimize the vulnerabilities that can occur due to various reasons such as lack of knowledge or mistakes of the developer during the development process or inherent weakness of each programming language . In application development, it is more important to develop securely and systematically than building speed. Introducing a Web security solution in an unsecured development environment is just a temptation, as if it were a twist.
You need to periodically run a web scanner that checks your application from the outside, such as checking the brick for cracking or tilting the house after the house is finished. Web scanners are called web vulnerability checking tools and are programs that analyze potential vulnerabilities or design vulnerabilities by communicating outside the web application.
There are many types of web scanners on the market, and there are various web scanners that are also available for non-commercial use. The performance of web scanners can be different, but the key is that you need to check the status of your application periodically and consistently through a steady check to see the effect.
Web server malware detection – Web-Based Malware Detection
After that, it is necessary to check whether there is rain in the house or whether there is a hole where the worm can hide. This can be checked through a web server malware detection solution.
Like web scanners, web server malware detection solutions are also required to be periodically checked and executed.
Web Firewall – Web Application Firewall
Once we build our house, we protect our homes from unexpected outside access and produce hedges or walls to ultimately compensate for the internal hazards we have not found yet. In application security, the Web Application Firewall acts as a fence.
Web firewalls are used to detect and respond to external intrusion or web attacks over the Web. Web Firewall not only protects Web security vulnerabilities from being exposed to the outside world, but also blocks other attacks from outside before they are attacked. It also prevents web server malware from being uploaded to the web server. This is because a web firewall is developed specifically for web applications, unlike a normal firewall. In addition, unlike other solutions, it does not have to be built / applied to the server, and can be conveniently installed outside.
In the case of the newest web firewall, it is possible to block a wide variety of web attacks in real time and to apply rules through learning mode.
Finally, it is important how to keep the most important assets such as cash and bankbooks in the house. Applications can view these properties as sensitive data (Data) such as personal information, card information, and account information. In a typical web application environment, a database (DB) is built to store and manage data.
In order to manage data securely, it is necessary to manage data safely by introducing a web security solution related to data security. In general, we are introducing a number of data encryption solutions that make it impossible for hackers to recognize the data they ultimately want by encrypting their data. However, you should pay more attention to access control and audit logs to determine who is accessible and when it was accessed, rather than ending with encryption. In data encryption, it is very important to manage the key to open the encrypted data, so care must be taken in key management.
Completion of web security
The web security solution mentioned above can be arranged according to each layer, and it can be drawn as the following picture.
Web security 3-tier and layer-by-layer security solutions
It is imperative to understand the characteristics of each security layer and to pay attention to achieve secure web security by introducing a web security solution in the right place. In addition, although application security is the most important part of web security, it should not be overlooked that security of web and system should be based on security.
“An organization’s overall Security is just as hard as its weakest Link.”
There is a saying.
The weakest part of many security factors determines the security level of the entire company. In other words, paying attention to all layers of security in a balanced way, and introducing appropriate solutions for each layer of security problems is the best way to increase security.
The market for Web security solutions is growing every year. According to a report released by Frost & Sullivan in 2012, the Asia Pacific content security management market will reach $ 1.757 billion (approx. KRW 1.7 trillion) by 2017, with annual market growth of around 17.9% I looked out. Compared to the typical IT industry growth rate of 7 to 9%, this is a tremendous growth rate.
As the market grows, it will be possible to achieve secure web security by judging the functions wisely and deploying the web security solution in the correct place for each web security solution, now and in the future, with numerous web security solutions coming out. is.
Popularization and Severity of Web Threats
The web, which we commonly know as the Internet, could only be used in places where the PCs were in the past, but
since the development of mobile devices, including smartphones, the web has become available to everyone anywhere: Internet Explorer, Chrome, In addition to Internet browsers such as Safari, KakaoTalk, which is used in smartphones, and other mobile apps such as messenger and mobile games, are all on the web. Mobile apps all communicate based on the same web as the existing Internet, even if they look different. As mobile devices using the web become popular, various services such as financial transactions and complaints handling have become possible. Now, the web has become a very important role in our daily life.
However, as the web became popular, cyber attacks targeting information or assets of the corporation were also increasingly targeted. Because the Web is like a pathway leading to an important asset of the enterprise, the moment the Web is attacked, it can lead to serious secondary damage such as leakage of personal information, financial damage, internal system destruction. Nonetheless, most companies are concerned about the security of the corporate office, which is a physical space, while they are neglecting the security of the Web, the cyberspace.
Web Threat Example
First of all, if you look at events that have occurred in the past, the case of auction hacking that leaked more than 10 million personal information occurred in February 2008, There is a leaked Nate (SK Comms) hacking case. In the case of auction hacking case, it is an incident that hacked the web server through the web and leaked personal information after accessing the DB server. In case of Nate hacking case, It was found that personal information was leaked by attempting to access DB server from infected internal PC.
Next, there is a 3.20 hacking case that has become a big issue recently in financial and media hacking.
In the case of this hacking case, it is presumed that both the web server hacking and the internal PC hacking method are used in the first hacking method. Web server hacking using Web site bulletin vulnerability has secured 1st and 2nd C & C (Command Control) servers and it has been confirmed that the internal PC of the target company is infected through malicious code. Next, internal information is collected through C & C server To the internal PC that infected the malicious code for the malicious code, and finally by infecting the update management server, distributing the malicious code, and destroying the internal system of the enterprise.
As you can see from the examples of Web security threats above, it can be seen that cyber attacks, which became a recent issue, are all being attacked via the Web. The point here is that all of these cases were enough to prevent the introduction of appropriate Web security solutions.
In other words, building a secure web security system with adequate understanding of web security and proper deployment of web security tools is an important responsibility of the era of web popularity before it can cause serious damage from web threats.
(Hacking incident on the Auction Hacking Source: Electronic News’ large personal information leakage accident ‘)
(Nate Hacking case source: ZDNET’ Nate Hacking, netizen information almost all ‘)
(3.20 hacking case related content Source: NSHC’ 3.20 Cyber terrorism accident report ‘)
Understanding Web Servers
[Figure 1] Client-server architecture
We typically use the web via a desktop PC, laptop, or mobile device.
In terms of IT terms, the devices used to access the Web are [Client], a Web site that stores Web content such as a Web site or a mobile app screen, and a system that displays the content when a client accesses it [ Server]. (In the IT system, not all servers are web servers, but here we discuss web security. Let’s take a web server as an example.)
At this time, the connection network that connects the client and the web server is [Web].
From a security standpoint, client security is generally related to the security of individual systems, and server security is related to the security of enterprise systems. We will look at server security, which is at the heart of web security in the enterprise.
To understand server security, let’s first look at the server system.
Because the server system in the enterprise basically follows the structure of the IT system, knowing the structure of the IT system can understand the structure of the server system.
As you can see in the picture above, the IT system consists of three layers: network, system, and application. These three tiers are building an IT system by interacting with each other.
The network layer plays a role in the communication related to data transmission and reception, and the system layer serves as a platform in which various applications can operate, such as the role of an operating system (O / S) such as Windows and Linux, I will. The application is responsible for providing protocols (rules and commitments on how to communicate when sending and receiving information between computers) and application services running on this system layer.
In the end, secure server security means that all three layers of security in this IT system – network security, system security and application security – are securely deployed.
Let’s take a look at how security for each layer of the IT system related to Web security is actually built.
For network security, it is necessary to control access to the unsecured IP or port, and it is also necessary to check whether the traffic is allowed to come from the allowed IP or port (the amount of data flowing in a certain time on the transmission line). For network security, most enterprises build firewalls and intrusion detection / prevention systems (IDS / IPS).
System security is mostly related to O / S. Manufacturers responsible for the development and delivery of O / S for Windows, Linux, Unix, etc. are prepared against known web threats through periodic security updates and patches on their systems. Corporate security officers should keep their systems secure at all times, not only through security updates and patches, but also through periodic system malware reviews. To ensure system security, companies often build antivirus solutions.
As such, most companies are understanding network and system security and are working to build security accordingly. But the situation of application security is not. Because the application layer is more sophisticated than the network or system layer, and because of the variety of applications, most security administrators face many challenges in applying security.
Ironically, application security is of the utmost importance to web security.
Most of the web sites and mobile apps that we commonly use are composed of applications, and web attacks that target them are mostly application attacks that use the vulnerabilities of applications. It is no exaggeration to say that more than 90% of all current web attacks are attacks on Web applications.