Introduction

 

Today, Internet security is comprised of four elements:

1)      anti-virus protection at the desktop

2)      data encryption and authentication for transport

3)      firewalls and advanced routers at the network-layer security

4)      manual patching for application-layer security

 

Encryption and virtual private networks, using algorithms such as SSL, provide security for data travelling over the public Internet. Firewalls prevent unauthorized network-level access to the server systems on which e-Business applications reside. The reality is, neither firewalls nor encryption schemes like SSL protect the web application itself. Web application-level security ensures that online applications can only be used the way they were intended by the developer. Any attempts at manipulating them is directly blocked, preventing the unauthorized use of an e-Business’ resources or customer information by hackers attempting to gain access to the online network directly through the application itself. 

Traditional approaches require developers to address security issues at each stage of the development cycle – design, implementation, testing and deployment. This is a very costly and time-consuming process. The approach requires that someone reviews the code line-by-line and has the capacity to imagine potential security loopholes. With the constantly growing nature of web applications, the enormous explosion of new software code in these applications, and the constant need to implement patches, protecting these online applications by manually patching or upgrading will fail, sooner or later.

 

What is Web Perversion?

 

Web Perversion, it's what hackers do when they reach right through the Web to turn the site's applications against you. It's how they can steal the digital property, from sensitive customer data to confidential corporate information. It's why they can even shut down the site, or alter prices to buy goods or services for nothing.  Most shocking of all, to pervert applications, a hacker needs nothing more than a tiny hole in a code, a web browser and a little determination.

 

AppShield Overview

 

AppShield automatically secures e-Business applications on the fly. As HTML pages are requested from a web server to a browser, AppShield protects the application from hacking attempts using patent-pending technologies, the Policy Recognition Engine and Adaptive Reduction Technology. The Policy Recognition Engine in AppShield automatically identifies and remembers all of the acceptable responses defined in the HTML page by the page developer, while the Adaptive Reduction Technology enforces those requests when they return from the web browser to the server. Only legitimate requests – as defined in the security policy – pass through. Since these technologies operate automatically, AppShield does not require customization for different HTML content produced by each application, nor does it require upgrades every time a new bug is discovered in a third-party application.

 

AppShield provides these high-level security benefits at the web application level:

• User selection are always within a legal range: Only URLs that exist in HTML pages can be requested, selections made from drop-down menus in forms truly6 include values specified beforehand, etc.
• Read-only data stored in client-side returns unmodified: Hidden fields content stays the same, cookies cannot be modified, CGI parameters can be trusted, field names cannot be altered, etc.
• Free-format input is bounded to be valid: Size of input is bounded not to cause buffer overflow, HTML code cannot be included in text field, etc.

 

AppShield also improves the process in the e-Business application cycle:

• Development – Application developers can rest assured that the application interacts with a trusted client at all times, easing the development process. Security checks and balances are less important, stateless code can be safely written, and third-party code can be used seamlessly.
• Testing – Testing for security loopholes can be significantly reduced.
• 
• Deployment – Once the application is in production, the site is protected against third-party loopholes, so there is no need to pay constant attention to vendor patches and the risk of outage is reduced.

 

AppShield acts as a proxy between your web server and load balancer or firewall. As such it can reside either on the server itself or as a standalone box.

 

• Web Server Version – this version enables the deployment of AppShield without adding complexity to the network. It is installed on the same computer as the web server and performs the Adaptive Reduction enforcement efficiently and transparently.
• Stand Alone Version – this version does not require any software installation on the web server system. In this configuration AppShield runs on a dedicated machine and connects to one or more web servers.

 

AppShield Architecture

 

When a user starts an application session by directing his browser to an e-Business site, AppShield first verifies that the page accessed is indeed a legal Start URL to the site, a previously bookmarked page, or a signed URL.

Once a session is established, AppShield analyzes each HTML page that belongs to that session as it is being forwarded to the browser. The patent-pending Policy Recognition Engine examines the page, looking for information such as CGI parameters, hidden field values, drop-down menu values, and maximum size of expected text fields. Based upon this run-time analysis, AppShield automatically determines the security policy of the application. As the web server generates more pages, AppShield generates or adjusts the security policy for the session.

            AppShield secures not only HTML content, but also client side logic (such as JavaScript, VBScript, or any other programming language). Extending the security to client side logic is done using the Policy Refinement Rules mechanism. This mechanism allows the definition of rules that tell AppShield how to handle requests that re generated or modified by a program such as JavaScript on the client. For example, if the application employs JavaScript code that pre-loads or animates GIFs taken from directory /images/, AppShield can be instructed using a single rule to allow all of the requests of the form /images/<legal_filename>.GIF. Other rules can be used to inform AppShield about operations such as hidden fields or cookies that may be manipulated by a programming language on the client.

 

Conclusion

 

AppShield provides a secured environment for applications through verification methods that assert that the application protocols are correct so that the application is used the way it was designed. AppShield ensures that users follow the application logic so applications protected with AppShield do not need to be built to cope with application hacking. AppShield security is implemented without impending web applications, effectively allowing the costumers to access applications to their fullest extent without allowing anyone to pervert them beyond their design scope and thus keeping the site safe and secured.