3 Tiers and OWASP (Open Web Application Security Project)

Cybersecurity is the hottest topic of the month. With the latest hacking news surrounding Sony, all the attention has been placed upon North Korean hackers and cyber-attacks! With Obama declaring this incident as an act of terrorism to the chaos over the opening of The Interview, it’s time to take this matter into our hands and learn about web security!

Various Tiers

owasp tiers

Today, we are going to talk about how servers can be organized in various forms or tiers and how this relates to OWASP or the Open Web Application Security Project. We recently taught you about the Application Layer and how it is primarily used as a form of communication. In overall application security, there is a way to tier the way your servers are set up. Servers can be constructed with different layers: 1-Tier, 2-Tier, and 3-Tier. Let’s quickly dive into what each tier does.

Tier 1

Tier 1 is one uplink per server. This tier is represented by a server within a web server, OR a server within a web application server, OR a server within a database server. It can be diverse in where it is located.

Tier 2

Tier 2 is a web server AND another server composed of a web application server and a database server.

Tier 3

Tier 3 is when all three tiers are separated onto different servers. In terms of security levels, 3-tier provides the most protection, then 2-tier, then 1-tier, respectively.

How Does This Tie to OWASP

security weaknessOWASP (Open Web Application Security Project) provides global security standards through its Application Security Verification Standard (ASVS) that can help you assess how good a security product is for consumers and how to develop a better product for engineers. Every three years, OWASP publishes its top 10 list of security vulnerabilities. The tiered architecture that was described above is the various levels that the top 10 list of vulnerabilities looks to target. For instance, OWASP’s 2013 top 10 security weaknesses are the following:

  • A1 – Injection
  • A2 – Broken Authentication & Session Management
  • A3 – Cross-Site Scripting (XSS)
  • A4 – Insecure Direct Object References
  • A5 – Security Misconfiguration
  • A6 – Sensitive Data Exposure
  • A7 – Missing Function Level Access Control
  • A8 – Cross-Site Request Forgery (CSRF)
  • A9 – Using Components with Known Vulnerabilities
  • A10 – Unvalidated Redirects and Forwards

Just as a note, item A7 on the 2010 OWASP Top 10 List became merged with Item A6 on the 2013 list. These web attacks really look to disrupt server communication on the three tiers level, which exposes you and your system to varying levels of intrusion. 

Free tools are available online to help assess your security weaknesses. Cloudbric can also help you protect against the top 10 OWASP threats with its cloud-based web application firewall. All you have to do is register your website on the domain, and it’s totally free! Happy holidays and safe surfing!