Despite the talent and hard work of today's Java developers, enterprise Web and mobile applications may not be as secure as they should be. More than ever before, Java developers are code ninjas and mobile application magicians. Java applications running on Android phones let us take care of our banking errands, wire money, send and receive emails,  make purchases, keep tabs on our investments, schedule appointments, and even help us keep fit. We can run them just about anywhere. These apps are powerful and easy to use. They connect us to the world in ways that were impossible not so long ago.

Unfortunately, the developers that work so much power into such small devices may not be the best candidates for making sure that power stays in the right hands. According to Gardner's VP of security research, Ramon Krikken, enterprise application development could stand some improvement. He cites research from WhiteHat Security Inc. that implies it would take the banking industry (one of the most regulated and therefore best secured industries) over thirteen months to patch 90% of the flaws that exist in their applications.

Krikken suggests mitigating security risks with a Web app firewall (WAF):

A WAF is an appliance or server software add-on that can monitor and block traffic to and from applications. They have become common in many enterprises, especially those that must comply with the Payment Card Industry Data Security Standard (PCI DSS), which calls for either use of a WAF or frequent application code reviews.

“I’m usually the last one to recommend – if you have a problem – throwing a piece of technology at it or putting something in front of it and filtering it, because it’s a good idea to build secure applications right from the start,” Krikken said, “but you can’t do that with all applications.”

“I have an increasing number of customers starting to question whether putting a Web application firewall in front of an application to fix something is all that much worse than fixing the code.”

What do you think about securing Java Web applications. Is a WAF firewall appliance or add-on security server a valid strategy? Do developers need to bake security into Web applications? Is this potentially a growth area for new Web developers? Leave us a comment to let us know what you think.

 

I've just read The Tangled Web A Guide to Securing Modern Applications each chapter describes how web apps are hopelessly insecurable in the browser. Before that, I read The Basics of Hacking and Penetration Testing which shows that hackers have won the arms race over server security. What I've learned is I could spend more time securing an app than writing it and it would still be vulnerable and that I need a security specialist. I've started reading Apache Security and I'd like Apache httpd to be a web app firewall but that takes specialist knowledge too, default Apache settings are far from secure.

Patching vulnerabilities via a WAF is definitely a viable option. As you state, it’s just not always an option to fix the code. WAF's can be tough to configure. Many of the commercial application scanning tools are able to turn on packaged rules in the WAF and some are able to create custom rules. I’m a security engineer - I just want the code protected. It doesn’t really matter to me if it’s fixed in the code or via a WAF as long as we’re protected. I successfully used NTOSpider/NTODefend to configure Mod Security. 

 

We agree. There are options for easily creating custom WAF and IPS rules. Our solution, NTODefend creates custom rules quickly and easily from NTOSpider’s application scan results. It can also test the WAF to make sure that it’s not blocking good traffic.  http://www.ntobjectives.com/security-software/ntodefend-automated-rule-generation/

Larry Suto did a pretty comprehensive analysis of using web scanners to quickly configure WAFs and IPS to block web attacks, which is published here. 

Larry Suto's study - http://www.slideshare.net/lbsuto/analyzing-the-effectivess-of-web-application-firewalls

Krikken isn’t the only Gartner analyst who agrees. Neil MacDonald from Gartner published a blog titled, “Link Web Application Firewalls to Dynamic Application SecurityTesting Tools” - he said that using WAF’s to protect applications via application security testing tools is a “no brainer.”
Neil MacDonald's blog - http://blogs.gartner.com/neil_macdonald/2012/01/09/link-web-application-firewalls-to-dynamic-application-securitytesting-tools/

Applications only control the use of resources granted to them, and not which resources are granted to them.-Tax Tiger

Relying on WAF for web application security problems is a similar concept like throwing more hardware at performance problems. It might cure some symptoms but it doesn't solve the root causes.

Of course the WAF can provide some additional security - like more hardware can provide more performance. But the application should not be designed with the notion in mind, that there will be a WAF. Otherwise people will start to implement security problems, which a WAF cannot and should not solve, for instance missing application specific input validation, which could lead to authorization problems or to DOS-vulnerabilities.

As the cited study says: "WAF solutions must be tuned by a trained professional." So it's not  a cheap solution. Alternatively one could invest the money in some design/code principles and reviews, which might additionally help to solve some of the upcoming performance problems.

A comment to the survey: in the banks I worked it never took more than a couple of days to solve severe security problems.

C9 Gold and challenges.There're totally 4 classes(include Warrior,Buy C9 Gold Hunter etc, 2 mysterious classes will be unveilled then) in game. You can try them in first closed beta test. It will be a nice experience to against its high level of Monster AI Continent Of The Ninth Gold and try awesome combo skills by controlling characters.

Enough cheap Diablo 3 Gold diablo gold in stock ensures delivered within 15 minutes. Buy D3 Gold enjoy fabulous service all day. Diablo3 Gold sell the Diablo 3 Gold specialty .Fast and cheap Diablo 3 Gold service .idiablo3gold provide the sincerity service for you. Come to the excellent Diablo 3 Gold Buy Diablo 3 Gold store to buy Diablo 3 Gold,Diablo 3 CDKey and Diablo 3 Power Leveling with the best delivery service. is the right place to buy Diablo 3 Gold.

http://www.gw2gw2.com/gold.html

Learning is a new and an interesting adventuer in life..

Learning is a new and an interesting adventuer in life..

http://mmo-cards.com

http://www.gw2gw2.com/powerlevel.html

Learning is a new and an interesting adventuer in life..

Although destroyer escorts lacked the arms, armor and speed to attack fast armored cruisers and battleships, at the Battle off Samar. http://binaereoptionenbroker.blogspot.com/ The task group Taffy 3 of escort carriers, destroyers and destroyer escorts were attacked by superior Japanese fleet led by the giant battleship Yamato.

depends on the firewall and how it is protected

storkclub

There is a big possibility for this coz of the lack of security on the firewall

gift idea for designer

In the last, I will show you the best place to <a href="http://www.rift-plat.com">rift gold</a> online, I think when you choose this company you will find it is your best choice, because the company has good credit and makes you 100% satisfied with our service, you don’t need worry about that your <a href="http://www.rift-plat.com">rift plat</a> will be cheated by the workers and you can never <a href="http://www.rift-plat.com">rift Platinum</a> except this company.

 

The retro wave surge Cartier Eyeglasses in popularity in recent years in the 1960s and 1970s, resulting in that era the most popular plastic glasses become a fashion darling