Why Web Application Security Securing a company's web applications is today's most overlooked aspect of securing the enterprise. Hacking is on the rise with as many as 75% of cyber attacks done through the web and via web applications.
Most corporations have secured their data at the network level, but have overlooked the crucial step of checking whether their web applications are vulnerable to attack.
Web applications raise certain security concerns. 1. To deliver the service (intended by design) to customers, web applications must be online and available 24x7x365 2. This means that they are always publicly available and cannot discriminate between legitimate users and hackers 3. To function properly web applications must have direct access to backend databases that contain sensitive information. 4. Most web applications are custom-made and rarely pass through the rigorous quality assurance checks of off-the-shelf applications 5. Through a lack of awareness of the nature of hack attacks, organisations view the web application layer as part of the network layer when it comes to security issues.
The Jeffrey Rubin Story In a 2005 review published by Information Week, a prominent security expert called Jeffrey Rubin, narrates his experience with a successful hack attack. The following is a citation from his article (the full reference is given at the end of this article):
"We're like most Web developers who use the Microsoft platform ... Although we try to stay up to date with patches and service packs, we realize attackers often go after application, rather than network, vulnerabilities. A colleague suggested we install a hardware firewall to prevent future attacks. Not a bad suggestion, but hardly a cure-all given that we have Ports 21, 80 and 443 and our SQL server (on a nonstandard port) wide open for development purposes. After all, we're in the business of developing dynamic Web pages, and our clients are all over the country".
Jeff's story is striking simply because (a) developers, like all, are also prone to error despite all the precautions they take to sanitize their developed applications and (b) as an expert he was still lulled into a false sense of security by applying the latest patches and service packs. Jeff's story, sadly, is not unique and arises from misconceiving the security infrastructure of an organization and the solutions available to assist people in their fight to protect their data.
Since many organizations do not monitor online activity at the web application level, hackers have free reign and even with the tiniest of loop holes in a company's web application code, any experienced hacker can break in using only a web browser and a dose of creativity and determination. The slack security also means that attempted attacks will go unnoticed as companies react only to successful hacks. This means that companies will fix the situation AFTER the damage is done. Finally, most hack attacks are discovered months after the initial breach simply because attackers do not want and will not leave an audit trial.
Systems administrators, CTOs and business people alike conceive cyber intrusion as standard physical intrusion: a thief in your house leaves markers, e.g., a broken window or a forced lock. In web application attacks this physical evidence is inexistent.