Should I be worried about my web applications?

Friday, February 06, 2009

An interesting article published earlier this week on Information Week’s website here called “Web Applications: Achilles’ Heel Of Corporate Security” discusses the tremendous rise in web-application breaches and attacks this past year.

IBM’s 2008 X-Force Trend and Risk report which was released Monday states:

“Certain types of corporate applications, namely custom-built software like Web applications, remain a highly profitable and inexpensive target for criminal attackers. The sheer number of new vulnerabilities, the majority of which have no available patch, coupled with the hundreds of thousands of custom Web applications that are also vulnerable (but never subject to a vulnerability disclosure, much less a patch), continue to be the Achilles’ heel of corporate security.”

Since is currently running a poll regarding what is considered the largest security threat, and since ‘Poorly coded web applications’ is rightly on the list, I thought this a good topic for this week’s article. By the way, you can view the poll results here.

So should you be worried about your web applications and should it be a top priority? The answers are “yes” and “maybe”. You should be worried about your organization’s web applications, but it may not be your biggest risk. In combing through the data breaches listed at the overwhelming majority of breaches are due to human error, via either incompetence or malice. Simple things like throwing sensitive hard-copy paperwork in the garbage dates back to before the computing industry dominated the workforce.

What does this say about the state of affairs in many organizations in relation to their information security posture? It’s tough to say for sure, but there is certainly evidence that many organizations are simply not preparing their employees properly with regular Security Awareness Training. While working on a Social Engineering assessment for a client late last year, we found more damaging, earth-shattering information in the company’s dumpster than email phishing and other impersonation attacks. In fact, the 10 minutes it took us to go through their trash yielded 90% of the total data collected during the engagement…and this isn’t exactly an isolated incident.

So what’s my point? Basically that although Web Applications are certainly the current target of choice, this is not a new issue, and wont be solved by focusing on the specific issue. Rather, focusing on Information Security as a whole, from the top down, in any organization continues to be the best approach to minimize the impact to any organization. No problem in Information Security has ever been solved by a product, a process or a policy, rather the combination of all 3 and a commitment to security-minded thinking in daily operations and planning initiatives.

Possibly Related Articles:
XSS SQl Injection CSRF HTTP Security
Post Rating I Like this!
avelin injector