Home >Knowledge Center > Technologies Trends
          
 

Security issues in web enabled applications

Most web applications use encryption technologies, firewalls, and intrusion-detection tools to ensure application and data security. While these security measures are essential, they do not eliminate all possible security threats.  As more and more business transactions are happening over the web, applications are at an increased risk of being sabotaged or data being leaked by external agents.

  • Myth #3 :Network Vulnerability Scanners Protect My Website
    Beginning in the early 90’s with SATAN, system administrators and security professionals have utilized vulnerability scanners to point out “well-known” network security flaws. After resolving all the reported security issues, the site should be secure enough to be placed on the Internet. However, vulnerability scanners neglect the security of the custom web applications running on the web server, which usually remain full of holes. Vulnerability scanners miss the web application layer because there are no “well-known” security issues present in custom written web code. Statistically speaking, there are issues within just about every website, but they remain unidentified until someone looks for them. A small percentage of organizations use the same off-the-shelf software to run their websites. Most opt for custom code. Therefore no existing weaknesses can be preprogrammed into the  vulnerability scanner. It is important to understand that while the average web application in use today is woefully insecure, a network vulnerability security scanner is incapable of identifying flaws other than those within its signature database. An off-the-shelf vulnerability scanner would likely give your website a “thumbs-up but the site data will still remain unsafe.

  • Myth #4 : Web Application Vulnerabilities are the Developers’ Fault
    It’s easy to blame developers for web application security failure, but that’s not fair. Many factors beyond their control contribute to software insecurity. For example, source code can originate from a variety of locations in addition to the in-house development team. A company might have code developed by an offshore firm to intermingle with existing code. A patch from a commercial vendor may be applied to dependent system libraries. Developers may even use example or open source code from the web. It’s never clear that the entire code base for a software project is unique, or that the combined interaction is safe and secure. Additionally, as the rush to meet deadlines intensifies, developers are often forced to take shortcuts. Now multiply this interactivity by tens of thousands, hundreds of thousands, or even millions of lines of code all intermingling. The possibility of a security loophole in business logic becomes likely. Realistically, software has bugs. In computing we witness this fact everyday. Security vulnerabilities are nothing more than a type of bug. Training staff to develop secure code makes a marked improvement in code quality. But remember, training developers to write secure code does not mean the code they write will be secure. There is no way to prove software is secure and bug free. What security professionals must remember is that business logic review is a key component of any web application security strategy.

  • Myth #5 :Annual Web Application Security Assessments are enough
    The high rate of change in normal web site code rapidly decays the accuracy (and thus, the value) of last week’s security report, and last year’s is useless. While it is responsible, and often required, to have yearly security assessments performed on a website, the common web application life cycle requires more frequent security review. As each new revision of a web application is developed and pushed, the potential for new security issues increases. Holidays are a particularly significant time for website updates. For example, Valentine’s or Christmas specials are backed with new web code for various promotions. New features are hurriedly implemented before and after the deadline hits, regardless of any security issues left outstanding. If the business does not publish functioning code, there is a financial loss – so getting the code up and running always takes precedence. This is why continuous website security is imperative--to catch these flaws as they occur.

For more information on potential risks faced by your application security and their resolution, please contact us.

*content courtesy white hat security



Print this page   Email to Friend