Web应用程序安全

为什么Web应用程序安全很重要?

Web applications need to freely allow traffic through a variety of ports 和 usually require authentication; this means they also require a complex Web应用程序漏洞扫描器. Since websites must allow traffic to come 和 in 和 out of the network, 黑客经常攻击最常用的端口. 这包括:

• 端口80 (HTTP):用于不安全的网站流量
• 443端口(HTTPS):用于安全网站流量
• Port 21 (FTP): The file transfer protocol for transferring files to 和 from your servers
• 端口25 (SMTP), 对于简单的邮件传输协议, 和端口110 (POP3), the default unencrypted port: 电子邮件 protocols often used by organizations to send 和 receive email.

考虑到可用端口的宽度, it’s no wonder that hackers have abundant opportunities to break into networks by exploiting the openness that websites must have in order to interact with their users.

这只能通过 Verizon数据泄露调查报告, which as repeatedly shown that web application attacks remain the most common breach pattern 和 are a preferred vector for malicious attackers.

通过持续监控和扫描您的web应用程序, you can proactively identify vulnerabilities 和 remediate them before a breach occurs, 领先攻击者一步. Here are some of the most important things to keep in mind when evaluating application scanners for our organization.

免费扫描Web应用程序扫描是不准确的

免费的web应用程序漏洞扫描器的数量很多, 尽管免费听起来对每个人都很好, keep in mind that free scanners will likely give you a high probability of both false positive 和 false negative alerts—a frustrating nightmare for an IT team that is already strapped for time 和 energy. 老话说得好:一分钱一分货.

话虽如此, many commercial full-functional scanners allow a free-trial version that you can try out before you buy. This offers you a big advantage in purchasing such critical security equipment for your organization. You can test out the scanners to ensure it’ll accomplish what you need it to.

OWASP十大漏洞

您希望您的网络扫描器能够准确地发现漏洞, not just churn out information that is labor-intensive for your IT team to wade through. 如何判断web应用程序扫描器是否准确? Make sure it can detect the Open Web应用程序安全 Project, or OWASP Top Ten Vulnerabilities:

1. 注: 攻击者向SQL发送不可信的数据, OS, 或使用命令查询的LDAP解释器, “tricking” the interpreter to execute comm和s or access critical data.
2. 破碎的认证和会话管理: Hackers use authentication 和 session management processes to steal passwords, 令牌, or keys that enable them to assume the hacked user’s identity 和 gain access to your network.
3. 敏感数据暴露: 难以置信, but many web应用程序 still don’t properly protect sensitive data, 比如信用卡, 身份验证凭证, 或税号. Hackers take advantage of these weaknesses to commit identity theft, 信用卡诈骗, 还有其他攻击.
4. XML外部实体(XXE): Old or misconfigured XML processors evaluate external entity references within XML docs. 外部实体可用于公开内部端口扫描, 远程代码执行, 以及拒绝服务攻击.
5. 访问控制中断: Restrictions are not often enforced regarding what authenticated users are allowed to do. Attackers exploit this to access unauthorized data 和/or functionality.
6. 安全错误配置: Best practice requires security configuration within the application 和 its surrounding orbit 和 platform. 所以如果在安全层有错误的配置, 黑客可以很容易地利用这一点, 获得对您的网络和关键数据的访问权限.
7. 跨站点脚本: 黑客劫持用户会话的一种方式, 重定向到恶意站点, 或者通过XSS漏洞破坏网站.  An application takes untrusted data 和 sends it to a web browser without a validation process, 使黑客能够在受害者的浏览器中运行不需要的脚本.
8. 不安全的反序列化: 这通常会导致远程执行. 反序列化缺陷可用于执行重放攻击, 特权升级攻击, 以及注入攻击.
9. 使用已知漏洞的组件: 软件模块组件通常以完全权限运行, 因此，如果一个易受攻击的组件(如库), 框架, 或其他软件模块)被利用, 这可能会造成严重破坏, 黑客很容易进入整个系统.
10. 足够的日志 & 监控: Most attacks are allowed to transpire due to a lapse in proper logging 和 monitoring. 没有足够的记录和监控程序, attackers can go unnoticed 和 have a better chance of inflicting severe damage.

Web应用程序安全报告

You want to make sure your Web应用程序漏洞扫描器 provides easy-to-read reports that output the information your scanner finds in a digestible way. Reports allow your IT team to easily 和 quickly identify weaknesses or holes in your web应用程序 that could be a prime target for hackers. 报告还允许您在安全威胁发生时识别它们, 为任何应用程序漏洞提供实时解决方案.

修复Web应用程序漏洞 

While having detailed reports is crucial to making use of the data that your scanner finds, 这是不够的. Your scanner should also have the ability to convert vulnerability data into a specific, 详细修复方案.

A remediation plan can provide you with prioritized tasks 和 context, 包括需要解决的问题, 为什么, 到什么时候. The best vulnerability scanners allow you to track 和 measure the data within the scanner software itself, 或将数据集成到您的IT票务解决方案中.

Web应用程序安全摘要

当今的威胁形势不断演变. Given the number of web应用程序 that people interact with daily, 无论是商务还是个人使用, 这些应用程序受到保护是至关重要的. 通过定期浏览你的申请, you can identify 和 remediate vulnerabilities before a breach occurs to stay one step ahead of attackers.