Looking past layer 7

When it comes to Web security why is it we always seem to focus on layer 7 only? Sure, it can be argued that XSS, SQL injection, flawed application logic and so on are the big deal items in any given Web system. But who said the underlying server and network components – the foundation of the system – aren’t a big deal? Apparently someone did because all we seem to hear about – especially related to PCI DSS – is “scan the app”. When the app turns up clean, then all’s well in Web land. Not hardly.

Ignoring the servers and network devices that Web applications depend on is like a home inspector reviewing the fascia, roof, bathrooms, and electrical wiring of a home and nothing more. But what about the foundation and the framing? Even the doors, the windows, and the flooring need attention. Just because a house looks good, everything powers on, and the water runs doesn’t mean there aren’t some fundamental issues with the foundation, the frame, the flooring, and so on that can create or facilitate major problems down the road.

Be it a house or a Web system, no stone must be left unturned. But stones do get left unturned in Web systems if you only look at HTTP/HTTPS on ports 80 and 443. If you’re going to get a true view of where your complete Web system stands and how it can hold up to security threats you absolutely positively have to look beyond the URL.

Take, for instance, Acunetix Web Vulnerability Scanner and its server-side scanning. It not only uncovers security flaws at the Web app/Web services level but can also point out network and server issues such as open ports, running services, weak configurations, and so on. When you dig in deeper using tools like this you often find out much more about the OS, third-party applications, and even the firewall that you wouldn’t have known otherwise. These are things you need to know about in your Web environment. In my penetration testing and vulnerability assessment work I’ve found weaknesses that facilitated remote command prompts, denial of service, and other serious exploits which created risks that hardly any business could afford to accept.

It’s true that it’s tough to find every flaw in every system. There are just too many variables and complexities. Likewise, you may never have a true all-in-one solution for finding every vulnerability at every layer in your Web environment. Each vendor has their own focus and strengths. The important thing is to know that you have dig in deeper. Just because you’ve scanned the application layer doesn’t mean you’ve done enough. The only way you’ll know for sure – and the only way you can remediate the issues that matter – is to look at all the pieces of the puzzle.

Share this post
  • actually it’s strange you should bring it up, i’ve never seen a shop that focused only on the application layer as part of their security analysis

  • Sadly, I see it all the time – especially with people who don’t know what they want/need and end up doing an RFP for layer 7 only.

  • layer 3 and 7 are just as equally important in general.

    take a look at the multiple unfixed NASA.gov vulnerabilities currently posted pinoysecurity. study the live exploits and you will understand the real deal when its comes to real world security threats.

  • Leave a Reply

    Your email address will not be published.