The Web server applications used to conduct business transactions online can generate the largest threats to an organization’s computer assets. Many systems are compromised by security and programming weaknesses in Web applications, known as application vulnerabilities.
Application vulnerabilities are weaknesses created by the integration of one or more application components, including in-house custom programming, databases and Web pages.
Vulnerabilities are unique to each system and can shift with each change to any system component.
In a successful compromise, the attacker gains access to private information such as bank account and credit card numbers or customer data. Growth in such compromises can be traced to:
- Reduced requirements for Web-hacking tools. Successful hacking used to require intelligence and access to hacking software. Today, every desktop PC and PDA in the world has the perfect hacking tool installed by default.
- Software development issues. Developing secure software has run counter to the business needs that cause vendors and IT companies to release products or custom applications quickly. There is risk for the introduction of vulnerabilities during any stage of software development and usage lifecycles.
- Lagging understanding of threats. Seventy-five percent of today’s successful attacks happen by entering directly through Web applications. Still, corporations continue to focus on securing network functions only.
How can you mitigate risks? Adopt a pre-emptive security strategy that includes vulnerability assessments — including Web system application assessments — performed by independent parties. In addition, organizations can use training to increase in-house developers’ understanding and consideration of security measures during the development life cycle.
Source: Frank E. Dezort III, Schneider Downs