Thursday 6 September 2007

Web App Sec: With Great Power comes Great Responsibility

Thanks to the explosion of Web 2.0, companies have more power than ever on the Internet, however with great power comes great responsibility. Trends show hackers are targeting web applications increasingly, simply because they are easier to hack and the rewards are greater than traditional hacking, like writing viruses for example. Often companies get the network security level right, with proper DMZs and firewall configuration, but this is merely the foundation of providing web application security and in reality offers very little protection against application level attacks.

The Security of Web Application starts right with the developers, especially if you code in house. Web Application Security training of developers is absolutely key and the use of Development Quality Assurance tools like SPI Dynamics WebInspect and Watchfire’s AppScan in the development cycle also plays a vital role. Sure these tools cost, but you are paying for the tools to be constantly updated by the vendors, who have to keep up with the latest exploits, as web application vulnerabilities are cropping up on a daily basis. QA tools not only ensure secure application development but prove an extremely useful aid in developing coder’s web app security awareness and knowledge, ensuring future development of web applications are project planned (correctly budgeted) and coded securely in the first instance.

Finally once you have your web application up and running, you should ensure the website is vulnerability scanned on a daily basis, followed by periodic full scale penetration tests, to ensure the web application says secure.

Simply put, providing secure web applications costs it is unfortunate a lot businesses want to have their web app cake and eat it for cheap as possible. Away from costs some businesses simply just don’t have the security know how to do it correctly, “but we have a firewall” mentality, or they just don’t have the drive to ensure their web applications are secure, the old “it will never happen to us” mentality. These are precisely the reasons why trends in successful hacking of the new generation of website applications will continue to increase.

No comments: