WebApp Sec: Re: ISA Server and SQL Injection

[Paul Johnston <paul () westpoint ltd uk>]

Stephen,

You make some interesting points and I don't disagree with any of your 
principles.
I'm going to talk about a web application project I was recently 
involved in, and why I feel an app firewall was a good choice.
There were two developers (including myself) involved in the project, 
both reasonably versed in security issues. All code written was reviewed 
and tested by the other developer. We did not get source code externally 
audited because that was too expensive (maybe we didn't go to the right 
consultants). We did get a penetration test of the complete system by a 
reputable firm.
Now, we could have done the single system thing, but the risks are 
significant: a single vulnerability in the TCP/IP stack, web server or 
web application will lead to a complete compromise. No amount of 
hardening, auditing or patch management gets around that basic fact.
So, we went for a two-tier solution. We gave much thought to the 
division of responsibilities between the tiers. Ultimately having a 
back-end web application with a front-end app firewall seemed the most 
logical solution. The front-end is Apache/Resin and the back-end is 
Python BaseHTTPServer. The front-end interprets incoming requests, 
whitelist validates all input and canonicalizes requests before passing 
to the back-end. It also provides some DOS and brute-force protection. 
The back-end is your regular webapp - in principle it's plenty secure 
enough to put directly on the Internet.
So, having done this I think app firewalls are an important part of a 
secure system. To anyone who disagrees with this, my question is: what 
should we have done instead?
Regards,

Paul

> Well the point of defence in depth is to have a secure system, with 
> multiple security checkpoints to ensure that a flaw in any single 
> level doesn't give access to the whole system.  And if we had infinite 
> budgets I'm sure we would have a wild time in the app security 
> superstore, but we don't; and we have to spend the limited resources 
> we have very wisely.  If I had to choose between fixing the problem at 
> the root, or applying a patch - I'll go for the root every time.  And 
> this is not necessarily just code audits, but can range from stricter 
> quality assurance procedures, to developer education, peer review and 
> security testing.  These have longer term benefits for an organisation 
> since they contribute to the wider security process rather than 
> solving a specific problem.
--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk