Web application security

   

by Felix Chan

 

 

   

The proliferation of web applications has increased the exposure of many enterprises to a variety of threats. More and more web applications such as customer portals, online banking and e-commerce sites are being developed and used for conducting business. Attacks on web applications are becoming more and more organised and sophisticated.

In the news
A US pet food seller did not take reasonable or appropriate measures to prevent commonly known attacks by hackers. These flaws allowed a hacker to access consumer records, including credit card information.

A fashion label in the US left its web site open to commonly known attacks. An attack caused the release of credit card numbers stored in the company's database.

Very often companies have claimed that they have protected information about their customers. However, suffering such serious breaches of security means that they have misrepresented the security of customer information. In the US, this violates federal law on privacy. In Hong Kong, the Monetary Authority has issued TM-E-1 Supervision, a supervisory manual for e-banking security.

Why aren't web applications secure?
Due to the remote and interactive relationship between web applications and their users, applications have many vulnerabilities that malicious third parties can exploit through methods such as injecting malicious codes into applications, carrying out brute-force attacks on poor authentication processes, adopting false identities, etc.

With risks and threats like these, we would assume that security considerations would be at the top of a company's priorities. However, there are always pressures to shorten development and deployment schedules that force companies to focus on functions, turnover time and performance, rather than on security.

Several misconceptions also perpetuate this shortcoming. Security measures such as firewalls, intrusion detection systems, and encrypted data transmission do not protect web applications. These measures only protect network traffic and data in transit.

The need for a more secure application development and security assessment process
There is no silver bullet to solve this issue. Security must be addressed throughout the entire application development life cycle. This includes defining security as part of the functional and technical requirements. Security should be modelled as part of the analysis and design of an application. Secure coding practices must be instituted. A quality assurance team should build and execute a test plan with security as a specific target, and the application must be deployed in an environment that has been hardened for security. Once deployed, periodic security audits should be conducted.




felix.chan@gthk.com.hk

 

 

Back

Main

Next