You are on page 1of 8

Securing web

applications and
infrastructure
A techUK guidance document

#techUK

About techUK

techUK represents the companies and technologies that are defining today the world that we will live
in tomorrow. More than 850 companies are members of techUK. Collectively they employ more than
500,000 people which represent about half of all tech sector jobs in the UK. These companies range
from leading FTSE 100 companies to new innovative start-ups. The majority of our members are small
and medium sized businesses.
This guidance has been produced under the auspices of the Cyber Crime Reduction Partnership in
co-operation with EY and PA Consulting.

Securing Web Applications and Infrastructure | A techUK guidance document

Context

Web based applications are growing vastly in number. They are being developed extremely quickly
and on multiple different platforms. On top of this, the level of skill required for their development is
becoming less and less.
Web applications can provide significant benefit to consumers and businesses and as we move towards
an Internet of Things and continue the development of better and faster mobile platforms, their
importance will continue to grow.
Software engineers and industry in general have a responsibility to ensure that their products are
developed in a manner that is as secure as possible. This is true even if software is simple or does not
deliver a function that is safety critical, like the processing of personal data for example.
The level of cyber threat to UK business is significant. To quote the 2014 Information Security Breach
Survey (published by BIS), some attacks caused more than 1 million of damage and 87% of small firms
experienced a security breach last year, up 10%. 93% of large organisations had also been targeted.
However, the problem is that some of the vulnerabilities being exploited have existed for a significant
period of time and are well understood by both criminals and developers. Potential solutions to them are
widely available and easy to find.
This guidance aims to identify the vulnerabilities that are being detected most recently by the security
industry, explain the problems they cause and suggests ways of avoiding them. No software is ever 100%
secure and the level of security required does depend on the environment the application operates in.
However, we suggest that there is a basic level of care needed to be taken when developing applications.

Disclaimer
This Guidance has been produced and is owned by techUK. Whilst every eort has been made to reect
current best practice in this Guidance, it is only intended to provide general advice. techUK and third
parties engaged in the completion of this Guidance cannot guarantee the completeness or accuracy of
the information in this document and shall not be responsible for errors or inaccuracies.
It remains your responsibility to ensure that all reasonable steps have been taken to mitigate security risk
and reduce vulnerabilities in applications, and we suggest you take professional advice if in doubt. Under
no circumstances shall techUK or any third parties engaged in the completion of this Guidance be liable
for any reliance by you on any information in this Guidance.

Securing Web Applications and Infrastructure | A techUK guidance document

Current vulnerabilities

The current top ten vulnerabilities


PA Consulting Group has reviewed all its penetration tests (formal technical security evaluations) over
the last 12 months on customer web applications and infrastructure. What they found was that common
and well established vulnerabilities still exist and are being routinely introduced into new applications.
The table below shows the top ten vulnerabilities that were found and their potential impact.

Vulnerability

Description

Impact

Account weaknesses,
especially a weak
password policy

This includes concurrent logins being enabled and


default passwords being used. However the most
common issue was a weak password policy.

A weak password policy could allow


unauthorised access to the application or
the wider system, resulting in severe
compromise or gaining of root privilege.

Secure Sockets Layer


(SSL) issues

SSL provides a secure connection between the


browser and the specific server (domain). It
ensures data is encrypted and authenticates
between the two connections. However, tests
consistently show insecurities, from weak ciphers
in use, to self-signed and expired certificates.

Poor implementation can lead to


user password and data compromise
through man in the middle
attacks/eavesdropping.

Cross site scripting (XSS)

XSS is one of the most common vulnerabilities


which enable attackers to inject executable code
into Web pages.

A cross-site scripting vulnerability may be


used by attackers to bypass access
controls and hence compromise the
application or gain access to the wider
system.

Clear test protocol in use

It is good practice to test applications and systems


in general. However, leaving evidence such as test
harnesses could be highly useful to an attacker, as
it may demonstrate where a vulnerability exists.

Depending on the vulnerability exposed,


then application compromise and/or
access to the wider system.

No brute force protection

Brute force may be used to attack an


application in a simplistic but sometimes very
effective way. Passwords and/or encryption keys
may be guessed and automated tools deployed
against them.

Access to the application will compromise


it and perhaps give access to the wider
system.

Directory listing

Discovering the directory structure of a web page


or being able to identify files that are normally
hidden is of use to an attacker.

The attacker may be able to exploit a


particular file or use the directory listing to
improve their chance of success in
compromising the system or application.

No clickjacking
protection

Malicious code or a malicious link is positioned


over a legitimate link via a transparent web layer to
highjack it to take the user somewhere else other
than that intended or execute malicious code.

Depends on the malicious code or link


deployed but will compromise the user or
system.

Cookies - not marked


HTTP only or not marked
as secure

This means the cookie could potentially be stolen


by an attacker who can successfully intercept
and decrypt the traffic or following a successful
MITM (Man in the middle) attack. (*definition from
https://www.netsparker.com/cookie-not-markedas-secure/)

This cookie will be transmitted over a


HTTP connection, therefore if this cookie
is important (such as a session cookie) an
attacker might intercept it and hijack a
victims session. If the attacker can carry
out a MITM attack, they can force the
victim to make a HTTP request to steal
the cookie. (*definition from https://www.
netsparker.com/cookie-not-marked-assecure/)

Host configuration issues,


especially firewall issues
and IP leakage

There are a range of issues found in host


configuration but the most common are
firewall vulnerabilities and exposure of the users
IP address, which is highly useful information to an
attacker. Badly written applications can leak this
information.

The IP address can be used to launch and


direct other exploits or attacks such as
denial of service. Leakage of the IP
address also has privacy implications for
the consumers of web applications.

10

Information disclosure,
especially user
enumeration

This is where the functional response of the


application or the password reset mechanism may
provide unintentional clues as to the construct of
a username or password.

Attacker may determine the username or


password and thus compromise the
application or system.

Securing Web Applications and Infrastructure | A techUK guidance document

Solutions

Technical solutions to the top ten vulnerabilities


The vulnerabilities identified on the opposite page all have well established fixes and ways of being
avoided. This document does not attempt to introduce new ways of solving these vulnerabilities but
points to some claimed third party best practice that we are aware of:

Vulnerability

General solution

Example best practice

Account weaknesses,
especially a weak
password policy

Avoid hardcoded, weak cryptography and plain


text passwords.

https://www.owasp.org/index.php/Password_Management:_Hardcoded_Password
https://www.owasp.org/index.php/Password_Management:_Weak_Cryptography
https://www.owasp.org/index.php/Password_Plaintext_Storage

Secure Sockets Layer


(SSL) issues

Use most up to date SSL version, test and verify its


operation and monitor for SSL vulnerabilities.

http://www.alienvault.com/open-threatexchange/blog

Cross site scripting (XSS)

Various prevention rules and techniques exist.

https://www.owasp.org/index.php/Cross_
Site_Scripting_Flaw
https://www.owasp.org/index.php/XSS_
(Cross_Site_Scripting)_Prevention_Cheat_
Sheet

Clear test protocol in use

Remove all test code, harnesses and data from an


application in release builds.

As per the general solution.

No brute force protection

Ensure your web application is securely hosted


and protected via an up to date firewall.

As per the general solution.

Deploy application logging and routinely analyse it


to detect brute force attack attempts.
Capture and report the attacking IP address to the
most appropriate and relevant authority.

Directory listing

Deploy chroot jail.

https://www.owasp.org/index.php/Directory_Restriction_Error

No clickjacking
protection

Sending the proper X-Frame-Options HTTP


response headers that instruct the browser to
not allow framing from other domains (*source
OWASP). Employing defensive code in the User
Interface to ensure that the current frame is the
most top level window (*source OWASP).

https://www.owasp.org/index.php/SecureFlag

Cookies - not marked


HTTP only or not marked
as secure

Mark all cookies used within the application as


secure.

https://www.netsparker.com/cookie-notmarked-as-secure/

Host configuration issues,


especially firewall issues
and IP leakage

Ensure application code does not directly or


indirectly expose the user IP address. Test to verify
this.

As per the general solution.

10

Information disclosure,
especially user
enumeration

Ensure password reset and error handling does


not provide attackers with information that allows
them to determine a password or user name.

As per the general solution.

Securing Web Applications and Infrastructure | A techUK guidance document

Appropriate standards

As well as the direct solutions to the top ten vulnerabilities defined on the previous page, there are a
number of recognised best practice steps you can take to ensure your web application is as practically
secure as possible.
The UK has succeeded in codifying what constitutes good software engineering. PAS 754, Software
Trustworthiness Governance and Management Specification was developed by BSI, the business
standards company, in consultation with stakeholders. It sets out the processes and procedures which
organisations can apply to help them identify and employ trustworthy software.
The specification defines the five aspects of software trustworthiness: Safety, reliability, availability,
resilience and security. This set of principles and techniques for any software implementation needs to be
suited to the context and intended use.
It describes a widely applicable approach to achieving software trustworthiness, which is based on the
following concepts:

Governance: Before producing or using any software which has a trustworthiness requirement, an
appropriate set of governance and management measures shall be set up.

Risk assessment: The risk assessment process involves considering the set of assets to be protected,
the nature of the adversities that may be faced, and the way in which the software may be
susceptible to such adversities.

Control application: Risk shall be managed through the application of appropriate personnel,
physical, procedural and technical controls.

Compliance: A compliance regime shall be set up to ensure that creators and users of software
ensure that governance, risk and control decisions have been implemented.

Securing Web Applications and Infrastructure | A techUK guidance document

Appropriate standards

This standard was completed by the following organisations:


Association of British Certification Bodies (ABCB)

Centre for the Protection of National Infrastructure (CPNI)

Department for Business, Innovation & Skills (BIS)

Group 5 Training Limited

The Institution of Engineering and Technology (IET)

Microsoft

The Motor Industry Software Reliability Association (MISRA)

Nexor Limited

Oxford Brookes University

QinetiQ Group

Trustworthy Software Initiative (TSI)

Whilst all elements of this specification are appropriate to the development of web applications and
infrastructure we suggest that its recommendations are adopted as appropriate to the level of risk the
application and/or infrastructure is deployed within.
Other international standards exist such as ISO/IEC 27034-1:2011 technology -- Security techniques
-- Application security. This provides guidance to assist organisations in integrating security into
the processes used for managing their application. It introduces definitions, concepts, principles
and processes involved in application security. It is applicable to in-house developed applications,
applications acquired from third parties, and where the development or the operation of the application
is outsourced.

For further help/references


OWAPS | https://www.owasp.org/index.php/Main_Page

BSI - PAS 754 | http://shop.bsigroup.com/ProductDetail/?pid=000000000030284608

CPNI - PAS 754 | http://www.cpni.gov.uk/advice/cyber/Cyber-research-programmes/tci/TrustworthySoftware-Initiative/

ISO 27034-1 | http://www.iso.org/iso/catalogue_detail.htm?csnumber=44378

Securing Web Applications and Infrastructure | A techUK guidance document

techUK represents the companies and technologies that are defining


today the world that we will live in tomorrow.
More than 850 companies are members of techUK. Collectively they
employ more than 500,000 people, about half of all tech sector jobs in
the UK. These companies range from leading FTSE 100 companies to new
innovative start-ups. The majority of our members are small and medium
sized businesses.

10 St Bride Street, London EC4A 4AD


techUK.org | @techUK | #techUK