DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Managing Both Acute and Chronic Web Application Security Issues

Managing Both Acute and Chronic Web Application Security Issues

In light of the two major security concerns that occurred in recent weeks, James E. Lee, Vice President of Waratek, looks at some ways to enhance your security protocols.

James Lee user avatar by
James Lee
·
Mar. 20, 17 · Opinion
Like (1)
Save
Tweet
Share
2.93K Views

Join the DZone community and get the full member experience.

Join For Free

With WikiLeaks’ March 7 posting of what was purported to be some of the CIA’s cyber surveillance exploits, agencies are looking at the possibility of attackers turning intelligence gathering tools against government systems, devices, and websites.

Even more recently, a new, high-severity vulnerability emerged in the Apache Struts 2 open-source framework used to build Java web applications. The flaw allows hackers to inject commands into remote web servers. Within hours, organizations around the world reported attacks exploiting CVE-2017-5638 while Struts 2 users scrambled to apply a patch from the Apache Foundation.

What are the practical effects of these events, and what should government InfoSec leaders and practitioners do now?

The Struts 2 discovery requires immediate action, and the Vault 7 release should put security teams on an even more heightened alert. Each event, however, requires action by government IT teams as well as those in the private sector.

While most of the reports on the Vault 7 leak have focused on the tools that turn Internet-of-Things devices into surveillance units and the privacy risk that represents, the real danger for agencies is the potential for a tidal wave of zero-day attacks aimed at government web applications.

Agency security teams and software vendors will be working for weeks, months, or years to address the new exploits headed their way. Vault 7 and Struts 2 are not the first cyber events to point out a flaw in InfoSec planning and execution, nor will they be the last. While network security often gets the most resources in public and private sector organizations, web applications are the number one target for malicious attacks, according to the Department of Homeland Security, Verizon, and IBM, among other researchers. That’s because applications can contain known and unknown software flaws. Flaws in a major library like Struts 2 put an entire application at risk.

How to Be Prepared When (Not If) This Happens Again

With the known, immediate threat from Struts 2 and the potential for zero-day attacks from Vault 7 exploits, there are immediate actions and long-term considerations that agency security teams should take.

These are the tasks that should be addressed immediately:

  • Determine the agency’s reliance on Struts 2 and its vulnerability to CVE-2017-5638, then apply the available patch.

  • Ensure other critical patches on servers and end-points have been applied.  Ninety-nine percent of all successful breaches are related to unpatched software flaws known for at least one year, according to Gartner.

  • Reinforce cybersecurity requirements among system users. Malicious hackers are a crafty lot and use every tool available to infiltrate an end-point, often with the unwitting help of users’ poor cyber hygiene.

  • Tune up agency network and web application firewalls and intrusion detection systems.

  • It is also important for IT teams to consider long-term action items to help ensure they will be protected from future vulnerabilities.

  • Evaluate virtual patching technologies that allow for immediate protection from known vulnerabilities. A virtual patch can be applied immediately while the application continues to run — with no code changes and without restarting.

  • Evaluate every part of the software stack  — not just the code written in house. Agency teams should be looking for and protecting against vulnerabilities in all software, including the platform itself. Finding the flaws is not the issue — protecting against them as fast as possible without service disruption is.

  • Turn off unnecessary elements. Virtually every web application includes unused and unneeded application programming interfaces and other software code. By turning off the software elements that aren’t required, agencies can reduce the attack surface and improve defenses against any zero-day attack arising from Vault 7.

  • Separate privileges and run agency software using the least privileges. In most cases, attackers damage compromised systems because after initial access they’ve been able to escalate their privileges and access restricted information/functionality. To avoid such scenarios the system must be compartmentalized, its trust boundaries and data flows identified, and separate privileges defined for each trust boundary. This usually requires an in-depth architectural analysis of the software system, but software tools can help automate this task.

Because of the highly sensitive information government agencies maintain, IT departments will always face cybersecurity challenges. However, putting the right protections in place will help significantly reduce these vulnerabilities and help secure vital systems before data gets into the wrong hands.

Application security Web application Web Service

Published at DZone with permission of James Lee, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Explainer: Building High Performing Data Product Platform
  • New MacBook Air Beats M1 Max for Java Development
  • Simulating and Troubleshooting StackOverflowError in Kotlin
  • Promises, Thenables, and Lazy-Evaluation: What, Why, How

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: