Make Security Your New Year’s Resolution
2020 has been a tough year for many, including anyone using this extremely popular infrastructure-monitoring software. You may be wondering what you can do as a software developer to secure your web application on Azure. Well, good news! I have five easy suggestions for you to implement to take your security to the next level. Better yet, you can implement them right now.
This feature from Microsoft is ridiculously simple to deploy (single-click), offers protection for the top ten Open Web Application Security Project (OWASP) vulnerabilities, and allows customized rules to meet any security requirements for your applications.
Here are some of the best benefits and features the WAF offers:
SQL injection attacks occur when input data from something like a user interface gets added to a SQL statement. These attacks can do all sorts of exciting things to your database, from CRUD operations to admin operations on the database.
Here’s an example of how this may show up in a codebase:
At first glance, this may seem relatively benign. But that last part—where the userName parameter is concatenated to the command text—is a giant security red flag. Since SQL will execute that statement, it would be possible to append more SQL commands like updating the account balance, deleting records, or even returning more data from the database, including sensitive data.
Plenty of examples are available on the internet of the different ways this vulnerability can unfold. But what matters most is how to defend against it. This, it turns out, is simple. Use parameterized queries. Here’s how our original example updated would look:
What happens at this point is if an attacker decided to send in this value:
SQL will execute that and match that input literally as one string and find no matches, whereas in the example above it would return every account balance in the database.
Chances are if you have an SQL Database in Azure, you have whitelisted IP addresses to allow direct database access via SSMS. Now is a great time to review your whitelisted IP’s and remove any unknown ones. You can take this one step further and add change-control processes to review the whitelists every X days.
Review your web applications’ HTTPS and TLS versions. There’s no reason not to have it set to HTTPS-only and TLS 1.2. Review these settings for all your web applications and enable them.
This is enabled by default when creating a web application on Azure. Another small but effective security improvement can be gained by disabling this feature if no one needs access. If your developers are publishing Web Applications to Azure via Visual Studio, then change this to FTPS and look into implementing a CI/CD pipeline to eliminate manual deployments. Finally, if you need help with CI/CD implementations, Anexinet has the in-house expertise to assist you. Please don’t hesitate to reach out to us with any questions. We’d love to help you get started.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.