Vanguard Brand Protection - Web Application Security FAQ

  1. What is Web Application Security?
     

  2. How can we know if our site is vulnerable today?
     

  3. We have skilled programmers and services to develop our web applications.  Do we still have security exposures?
     
  4. We have security policies and practices and have a firewall in place.  Are we still exposed from application level hacking?
     
  5. We make heavy use of encryption in our web site.  Do we still need SecureWebOnline Managed Security Testing Services?

What is Web Application Security?

Web application security is the security that has been implemented at the application layer to protect your web site from hacking conducted at the application layer.  Most organizations have implemented policies and technologies to protect against network security threats such as firewall systems, virus checking controls and encryption.  Despite these controls most web sites are vulnerable to web application hacking because these controls do not operate at the application layer.

How can we know if our site is vulnerable today?

Vulnerabilities in your site can be detected by conducting a Vanguard Brand Protection Web Application audit or by signing up to our Managed Service.   Our auditing and security testing services identify potential vulnerabilities by attacking your site (in an ethical manner) using methods used by hackers.  Our auditing and testing service are able to determine the security level of your web applications by evaluating how your site responds to the audit attacks initiated by our test server.

We have skilled programmers and services to develop our web applications.  Do we still have security exposures?

Yes. Whether you are in B2B or B2C, to be competitive in today's market you have to do business on the Web. And as more and more of the worlds largest enterprises put their digital assets online, security for application development is becoming a very demanding task. While most companies understand the importance of encryption and advanced firewall software to guard access to online assets, the most vulnerable points in any Website—the Web applications themselves—remain mostly unguarded. Handling Web application security in-house requires developers to address security issues at each stage of the development cycle—design, implementation, testing and deployment —a costly and time-consuming process - especially in the today's competitive hiring environment for good Web developers!

With the Vanguard Brand Protection Managed service , you can provide your environment with automated Web application security software that autonomously and intelligently audits your applications - whether your Web developers produced it or you acquired them from a 3rd party.

We have security policies and practices and have a firewall in place.  Are we still exposed from application level hacking?

Yes. Security policies, firewalls and encryption are not effective against application level hacking. A hacker using a regular Web browser will seamlessly go through the firewall and encryption and is virtually free to send requests to the application. Those requests can be of three types:

  • Legal requests, which the application recognizes and accepts
     

  • Illegal requests, which the application recognizes and rejects
     

  • Anything else

It's the last of these three that is dangerous to the application. There are a large variety of techniques the hacker can use in order to reveal the requests from this 3rd type, and use them to force the application into unpredicted behavior. The results can be detrimental to the site and include defacement, total deletion, stealing customer accounts, credit cards and medical records, and much more

We make heavy use of encryption in our web site.  Do we still need Vanguard Brand Protection Managed Services?

Yes - you need both encryption and protection against application level attacks  even if you use  data communication and/ or host-based encryption.  In the case of data communication encryption, a hacker will not only be uninterrupted by the encryption, he'll even be protected from eavesdropping while he hacks. The browser will take care of the encryption, ensuring the malicious requests arrive safely and securely to the server - where they will cause the damage.  In the case of host-based encryption, the data is protected on the server by encoding it in an unusable format safe from anyone who is scanning your disk. Now, keep in mind that in order to work, your application server needs to have access to your data in its clear form, and it therefore must tie into the encryption and decryption mechanisms. At the end of the day, the browser always gets the information in clear form, so a hacker operating through a browser will not be interrupted at all by the encryption. In other words, encryption cannot provide protection if your very application is used against you.

 
 
Model Based Testing Managed Services
How to save significant amounts of money testing your systems and applications
 

Web Application Security Managed Services
How to protect your corporate brand from hacking attacks.
 
 
SQS UK
SQS (UK) is a reseller of the Vanguard Brand Protection Service under the SQS Brand Prototection label.
 
     
      
 
 
Copyright © Vanguard Technologies Ltd, 2006 About Us   |   Services   |   Managed Services   |   Associates   |   Contacts