One of the things that I constantly run into is that of security engineers trying to thwart web application attacks with network security equipment (such as IDS/IPS, AV signatures, etc).

A recent example regarded a SQL Injection attack on a web server. This particular entity has a very healthy multi-vendor network security perimeter, and felt that the gear in place was sufficient to both catch and stop a SQL Injection attack.

The really uncomfortable part about the whole thing was listening to the guy describe how he claimed to eventually stop it–by getting his IPS vendor to provide a “SQL Injection” signature. I was amazed….trying to deal with a Layer 7 issue using Layer 3 tools!!

This approach of course will not work (at least not for a determined hacker), what with the various encoding options, numerous ways to perform a SQL Injection attack, IPS signature evasion and the like.

The real issue at hand is how to address web application security attacks. Certainly, using a Web Application Firewall (WAF) in addition to the retro-firewall, but thats sort of like putting up an invisible dog fence to stop all dogs from crossing the line–its the wrong approach, and only deals with a portion of the issue (YOUR dog in this poorly-constructed example).

What was needed in this case was to address the issue of why a SQL Injection vulnerability was there in the first place–bad coding. User or URL-supplied input variables must be sanitized before injected into the SQL query, stored procedures used wherever possible, and -of course- DB permissions must be carefully handed out.

I rarely use the OSI model any more, but it has it’s value. Whether its real or made-up, the point is to address the security issue at the proper level. We need to start moving away from the idea that network security alone will protect our applications.

For a differing view, read RSnake’s post from way back in 2006 here. Although I agree with the viewpoint, the idea is to deal with the problem at the appropriate level. Most web attacks do occur at multiple theoretical OSI models, and -as such- require multiple defense strategies.

Perhaps we need a new model?

-Donwalrus

Having been in the infosec arena for almost 15 years now, the one thing I do know is that you can never have access to enough information. There are many of these infosec blogs out there, and many that focus on web application security (much as this one will), but this is more for personal reference, for that of my colleagues and friends.

Anyone is welcome to join and comment. This forum is intended for security consultants, engineers and managers alike who need ready access to web application security information. I will be contributing articles, code and reference information from many sources.

I trust that – over time – this site will be a valuable destination for you to keep up to date, discuss and contribute to the widening security field in web applications.

-Donwalrus