Is your web environment secure? All of it?
By David Maman, CTO of
Many people believe that if
they’ve installed a network firewall, they’ve done their duty. They think that a
firewall is like a strong barrier or moat protecting their information assets
and that no more is needed.Wrong!
Just as in times of old,
tunnels can be dug under the moat, ladders can be used to scale the wall, and
secret passageways can be found into the castle.
Here are a few facts for you
1. Identity theft affects more
than 11.4 million Americans annually, according to a report from Javelin Strategy &
2. Many of the largest companies
worldwide have been exposed to SQL injection attacks, such as Sony, Citibank,
3. Internet commerce is more
secure than the average mall store.
4. Chances are that your home
computers have already been compromised by some sort of malware, says Dasient.
A web environment has four
layers that need protection: The network level, the application level, the
operating system level and the database level. Most people think of these layers
as being one within the other, like concentric circles. They reason that if they
protect the outermost level, the inner levels are automatically
However, hackers can attack a
Web environment at each level independently, and security issues at each level
need to be addressed.At the network level, a simple
network level firewall does protect the infrastructure (access to which IP
addresses, using which ports, and sometime using which protocols) but provides
very limited protection, if any, to stop attacks at the application and database
You may have heard of bank
websites having their links or text or pictures changed. Website defacement and
other application level attacks take place because someone, at some point in
time, wrote sloppy software with security holes. Hackers specialize in using
exploits, XSS attacks, SQL injection, and other techniques to attack these
vulnerabilities at the code level.
One approach to prevent
vulnerabilities is to have a professional code review of the software in use in
the Web environment to identify and address coding security issues. Many times,
legacy applications are being used, so it’s almost impossible to change
anything. Of course, reviews are only as good as the reviewers, and no one
should ever review their own code. It’s much too easy to overlook one’s own
mistakes.An additional and important
approach is to update all the applications in use and to harden your web and
database servers. For example, one Oracle update release included 78(!!)
security updates.Another option is to use a
signature-based approach to spot and then quarantine this kind of attacks. Each
application level attack has a “signature” or typical way of operating that
identifies it. A comparison of web application firewalls (WAF) shows that some
are more effective than others, but none is perfect.
The database level, the fourth
essential layer in a web environment, needs protection from attacks directed at
the database. In the end, most of today’s common attacks are aimed at retrieving
sensitive information from the database via website attacks exploiting database
vulnerabilities. This makes the fourth layer the most crucial one.
So, for security, check all
four: Network, application, operating system and database. To make sure your
information assets are protected, your best bet is to use an integrated database
security solution that is non-disruptive to existing software and databases, is
easy to install and use, and provides extensive management reporting and audit
trails, all without degrading responsiveness to users.
You can find
effective security protection at a reasonable price. Just make sure you do your
homework. You need network, application, operating system and database
Maman is CTO & Founder of GreenSQL,
which offers a unified database security solution (www.greensql.com).