web security in network security 2019 | Debuggate
In fact, information security is hard to guarantee perfection. To be close to perfection, no matter how hard the professional is, there is a great deal of difficulty from design to operation.
In particular, Web security is a situation where the standardized security measures and methods are not separately available, and the security environment is set up in accordance with the actual circumstances. While most companies run web security solutions, few are running the right solutions for each. There are so many different kinds of products, and each solution cannot be installed and operated according to its role.
For secure Web security, a corporate security officer must have a thorough understanding of Web security principles and build a Web security system that is appropriate for their IT systems. how? First, a proper understanding and understanding of our IT system should be preceded
“So web security, what the hell are you doing?”
First, let’s look briefly at the structure of the IT system that companies use. In general, an IT system consists of three layers of network, system, and application, and security must be applied to each layer.
The ‘network’ layer at the bottom is responsible for communication-related to sending and receiving data, and the ‘system’ layer is a platform that allows multiple applications to run, as is the case with operating systems such as Windows and Linux. Take it. The top-level ‘application’ layer provides protocols and application services that operate with various functions.
Since the system structure of various servers basically follows this structure, secure server security means that all three layers of security of the IT system, namely, network security + server system security + application security are securely built.
Network security is easy to think of as the outermost protective sheath. A firewall is interposed between the inside and the outside of the system to block abnormal communication or packets.
For network security, it is necessary to control access to an unsecured IP or port, and it is also necessary to check whether a traffic arriving at an allowed IP or port is harmful. To do this, firewalls and intrusion detection/prevention systems IDS / IPS are used.
However, since the firewall cannot prevent attacks from IPs or ports that are allowed, and the network layer harmfulness check performed by IDS / IPS is not understood at the application layer, it is impossible to defend against attacks targeting application vulnerabilities. Are there many attacks targeting applications? An absolute majority of all information security attacks are application attacks.
Server system security
System security is mostly associated with the operating system. Windows, Linux, Unix, and others are responding to “known Web threats” through periodic security updates and patches on their systems.
Corporate security officers should keep the system secure at all times, not only through security updates and patches but also through periodic system malware reviews. To do this, companies often build antivirus solutions. Although it is an indispensable measure, there is a limit to the ‘known attack’ itself. Then what about unknown attacks? Are there many unknown attacks? Of course, there are many. Think about it. If someone has decided to do their best to do the best with a telegraph messenger,
Would you try a known attack? Everyone turns around and attacks.
Web application security
Because the application layer is technologically advanced compared to the network layer or system layer, and the kinds of applications vary, most security administrators face the most difficulty in establishing and applying security policies. So, as easily as possible,
The ‘web’ we usually think of is all made up of applications. Websites, mobile apps, etc. are both applications, and web attacks aiming at this, and application attacks using vulnerabilities of applications are the majority of all attacks.
In the end, all of the Web attacks, which have become famous through SQL Injection, XSS, and other media reports, are all aimed at exploiting Web site application vulnerabilities. Web-based malicious code also called “Web shell” In addition, the ’10 Web vulnerability ‘selected by OWASP (The Open Web Application Security Project) is also a Web application attack. In other words,
It is no exaggeration to say that more than 90% of current web attacks are attacks on Web applications. Ultimately, if you want to build secure Web security, building secure Web application security is inevitable.
Web application borrows use methods such as web vulnerability scanners, web firewalls, web malware detection, secure coding, and data encryption. However, due to the lack of enlightenment about the risks and the corresponding technologies, the supply situation is not good. It is really a pity.
Now let’s draw a picture of the security methods needed at each layer.
Again, although Web application security is the most important aspect of Web security as a whole, investment in application security is only a tenth of the cost of network security investment. Why? Perhaps it is because of the difficulty of not knowing what to do. What is network security? It’s relatively simple. Just put the machine in the rack and “Oh, it’s over!” I can not forget. (Of course, network security should not do that either.)
Perfect web security! What do you need?
Enterprise security administrators are deploying a variety of Web security solutions to protect against Web attacks. However, there are not many security administrators who can identify exactly what role Web security solutions they buy and manage, and in particular the solutions associated with Web application security.
In other words, besides the basic network security solution, there are not many companies operating and applying appropriate solutions for web application security. Such an environment can lower the overall security level of the enterprise and even become a potential target for attack by hackers.
Building an application is like building a house. Depending on how you build your house, your home may be safe and uncomfortable, and the stability of your application depends on how you build your application.
Application security needs to take care of everything from the initial development phase to the post-deployment maintenance. However, the lack of proper methodology is difficult to implement, because it is difficult to understand Web application security itself. Web scanners, web application firewalls, and so on, but I do not think it’s easy to understand their exact function or location.
Let’s take a closer look at the security of the web application and the place where each solution works.
Let’s say that the whole stage of development is the process of building a house. When building a house, build a strong, secure brick house on a solid foundation. This is the most basic one when you build a house, so you can build a safer house if you have a strong foundation.
‘Secure Coding’ is a method of creating code that considers security from the design stage to minimize all kinds of vulnerabilities that may occur due to various reasons such as lack of knowledge or mistakes of a developer, or inherent weakness of each programming language.
According to a study by Gartner Inc., a US information technology research and advisory company, it is a comedy that a country without a group like Gartner is claiming to be an “IT powerhouse.” By reducing vulnerabilities by 50% The cost of incident response is reduced by 75%. Rapid deployment time is also an important factor in application development, but it is more important to develop it more securely and systematically than speed.
Incorporating other web security solutions into an unsafe development environment is just a trivial thing to do.
Web Scanner, Web Scanner
After the house is completed, it is necessary to check whether the brick has been cracked or whether the house has been tilted. As a security measure, you need to periodically run a ‘web scanner’ to check your application, such as checking for cracks in bricks or tilting your house.
Web scanners, also known as ‘Web vulnerability checking tools’, are programs that analyze potential vulnerabilities or design vulnerabilities by communicating outside the Web application. There are many kinds of web scanners on the market, and there are various web scanners that are also available for non-commercial use. The performance and behavior of web scanners can vary, but the core of web scanners is that they must be checked regularly and continuously for consistency to get the effect.
Web server malware detection, Web-based Malware Detection
After the construction is completed, you should check whether there is any rain in the house or whether there are holes in the house where the worms are hidden. The solution to check inside the application is the ‘web server malware detection’ solution.
Web-based Malware, also called WebShell, is malicious code that runs inside an application. It is possible for a hacker to bypass the security system through the web shell and connect to the system without further authentication. In order to check this, you should use a solution that only professionally detects Web shell to detect it inside the server. Like web scanners, web server malware detection solutions are also required to be periodically checked and executed.
Web Firewall, Web Application Firewall
Now I build the application house as a secure brick and check it in and out. Is it a safe house now?
Once we build the house, we protect the house from unexpected access and build a fence or wall to ultimately compensate for internal hazards that we have not found yet. This fence role in application security is handled by the ‘Web Application Firewall’.
Web firewalls detect and respond to external intrusion or web attacks through the Web. It protects Web security vulnerabilities from exposure to the outside world and also acts as a fundamentally shielding device from the outside before the attack reaches to the protection solutions. It also prevents web server malware from being uploaded to the web server.
In the case of the newest web firewall, it is able to block a wide variety of web attacks in real time and to apply rules through learning mode. This is possible because Web firewalls are developed specifically for Web applications, unlike traditional firewalls. Unlike other solutions, Web firewalls do not have to be built and applied to servers and can be conveniently installed outside.
Data Security, Data Security
Finally, it is the question of how to protect the most important cash and accounts in a house. From the perspective of the application, important data such as personal information, card information, and account information can be viewed as such a property.
In a typical Web application environment, you build a database to store and manage your data. However, in order to manage data securely, it is necessary to safely manage data by introducing a security device related to data security. Generally, we use a “data encryption” solution that makes it impossible for a hacker to recognize the data that he ultimately wants by encrypting the data.
However, careful attention should be paid to access control and log auditing to ensure that not all of the work is done by encryption alone, but who can access it and when it is accessed. Also, in data encryption, it is very important to manage data encryption/decryption key that can open encrypted data, so care should be paid to key management.
From secure coding to data security, in fact, the whole process is not limited to professionals in any field, but rather it is essential to collaborate with experts in each field. That is, a division of labor is necessary. And from the developer to the user, all of their roles must be fully utilized to achieve more complete security.
In addition, secure web security cannot be achieved by simply building the above system. As mentioned in the description of each solution element, the process of identifying and supplementing the security status through ongoing management must be accompanied.