Tuesday 14 October 2014

Application Security- Have you plugged the risks in your Plug-ins?

Like all competitive businesses, application developers and operation teams are constantly under pressure to move applications to production environment quickly. Everybody wants their application security efforts to be effective, but only if they don’t unduly impede workflow, impact timelines or drive up costs. It is extremely difficult to balance these potentially-competing objectives.
When web applications are breached, enormous amounts of sensitive business data can be lost. According to Verizon’s 2014 Data Breach Investigations Report, web application attacks more than doubled in 2013 to become the number one cause of security incidents. These types of attacks can occur at organizations of all sizes and levels of IT sophistication, and can affect tremendous amounts of data. Web applications are popular targets as they are accessible to almost anybody in the world, they are a conduit to an enormous amount of valuable data and they are commonly riddled with weaknesses. The financial impact of such exploits is substantial. According to the Ponemon Institute’s 2013 Cost of a Data Breach Study, U.S. breaches cost $188 per record stolen, with an average total cost of $5.4 million per incident.

Fortunately, most web application attacks follow a small number of patterns. Like other application flaws, web application security defects arise during software development. Cross-Site Scripting (XSS) is one of the most widely-found and dangerous vulnerabilities in web apps. XSS can have a big impact on your organization because it enables attackers to send untrusted code to users’ web browsers under the guise of your business’s legitimate app. This enables attackers to execute scripts in victims’ browsers to hijack a session or download malware to take full control of their system.
The second type of Vulnerability is injection attacks that come in many different flavors, including: SQL injection and command injection (inserting system commands into a form field). SQL injection attacks are among the most widely known. Attackers send malformed inputs to your application (for example adding extra characters to the ends of a type-in field), which then gets passed to a database. The maliciously-formatted input tricks the database into returning excess information or performing unwanted actions.
Fortunately, you can combat these and other vulnerabilities by following a few straightforward best practices and employing new automated technologies.


  •    Collaborative Approach: Web application security requires ongoing collaboration among the involved teams: business leaders, IT leaders, development, operations, and security groups. Having demonstrable leadership backing makes it easier to put that collaboration in place and obtain necessary resources.
  •   Development Discipline: Application security cannot be implemented as an afterthought. It has to be finely ingrained into the development process and enforced at major milestones. Security should be explicitly considered when the technical requirements of the application are being defined, during coding, during testing, in the QA phase, and when applications are put into production.
  •    Training for all Stakeholders: Secure coding is a skill unto itself that requires developer training. When developers, server admins, and others build and deploy applications, it’s essential that they be aware of where security flaws can come from. Making applications resilient to attack is tough if you do not know what to look for, even if you’re equipped with the right tools.
  •      Threat simulation: Before you can protect your applications, data and other IT assets, you have to understand the fundamentals behind a potential attack. In particular, it’s critical think about who might have the motive, opportunity, and means to attack.
  •     Automated Testing: While many problems can be avoided by focusing on security during development, some vulnerability will inevitably sneak in. This is where having the right application security tools and technology makes a huge difference.
  •     Changes to Applications: In the ideal world, applications would always be perfectly secure; realistically, bugs happen or changes are requested and that is when vulnerabilities inevitably appear. But fixing and deploying changes to applications takes time and security considerations are not kept in mind. This needs to change and it needs to follow regular development process.


No comments:

Post a Comment