Web Application Security - Real or Imagined?

Tuesday, May 17, 2011

Bill Gerneglia

44fa7dab2a22dc03b6a1de4a35b7834a

Article by Tom Sheehan

Almost every enterprise today has one or more web applications that makes doing business with the public routine.

Informational web sites like this one are just that - they provide useful information to people who want it, by putting it on the internet.

In the case of web applications, however, tasks like interaction with customers - a banking website, for example, lets customers access their accounts and do things such as pay bills, move money around different accounts along with many other functions.

And you may take the time out to fortify your network with firewalls, intrusion prevention systems and more, customers who use your web application are rightfully accessing your network through the access you provide them. 

It is exactly this ease of access to your systems where the problems lie in wait with respect to your web applications.

Once an user accesses your databases through a web application, your control over the user's actions diminishes considerably, because a malicious user can "craft" inputs into their browser that allow them to do things other than what you want them to do. 

Security is a real concern in such a situation.

Software development today is based on quick turnaround times.  And while companies do spend a lot of time testing their web applications, that testing is predominantly functional testing, to ensure that the apps perform their designated tasks.

Unfortunately, securing those web applications is not a high priority item during testing.  Most people aren't really sure how to go about comprehensively testing web applications.  Additionally, the expense of testing web applications to make them secure.

There are a some things you can do to build in application security during the build phase of the Web Application.  For example, let your development teams incorporate security best practices into all their designs of new applications.

In the case of pre-existing applications, especially production applications that your customers are accessing right now, have a competent web application security team assess your web applications for security threats. 

Hardly any applications on the internet are highly secure, so you'll improve your customer facing security posture by doing this.

The next thing you may want to consider is looking into putting in another "firewall” in your network, this one to protect your data.  Many larger software companies currently offer such solutions (i.e. Oracle, IBM, Microsoft, etc.).

Cross-posted from CIO Zone

Possibly Related Articles:
3809
Webappsec->General
Information Security
Enterprise Security Databases Web Application Security Web Application Firewalls IDS/IPS Fuzzing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.