Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Glow in the dark -- how CISOs can find their way through the darkness of the web

Viktor Polic, Chief Information Security Officer at a specialized agency of the UN. | May 9, 2014
From a small sushi shop to a large enterprise, hackers are looking for access to a company’s crown jewels: data. Web vulnerabilities are an easy route to this information. Viktor Polic explores how vulnerability scanners and ethical hackers help him to understand weaknesses in web applications

data entry computer keyboard business typing computer keys 000003233994

Even my favorite small sushi shop has a website with an online ordering capability. It also has a blog with news, events, and recipes and an option to subscribe to the newsletter.

Out of curiosity I took a look at the web page source. The site is developed using Asynchronous Java and XML (AJAX), one of many free open-source AJAX scripts for web carts and blogs on the Internet. A small local web design company developed the website and the design is contemporary and minimalistic just like his sushi shop.

When considering security, the web developer could have turned to the Open Web Application Security Project (OWASP), which has published the testing guide for AJAX vulnerabilities. The guide outlines nine categories of vulnerabilities to be tested. However, that's not a simple task for the amateur web developer.

Questions spring to mind, such as has the developer tested the application for vulnerabilities? The sushi chef has installed an anti-burglar alarm and cameras in his shop. But all shops in the neighborhood have some anti-burglar systems. Burglary happens in the area and installing alarms is standard cost of doing business. Alarms and cameras in the shop cannot prevent burglary. They are deterrents. However, the local law enforcement team is tasked with preventive measures against burglary. They patrol the neighborhood, organize awareness campaigns, and collect intelligence on threats.

Cross-site scripting and SQL injections are less obvious risks for a small shop owner. Still they could lead to a breach of customers' credit card details and personal information. To be sure that his website is secure sushi chef must have it tested and implement preventive measures. But how much is he ready to spend for such a test? A CISO of a large company may be responsible for several hundred web applications. He may ask: which applications are the most critical? Does it mean that less critical applications should not be tested against vulnerabilities? How much budget is a CISO ready to allocate for web application security? How to spend that budget wisely and yet to feel secure throughout darkness of the web?

Information: The crown jewel
All components of information systems are vulnerable to exploits. However, components directly accessible from the internet are exposed to external threats and therefore are more likely to be exploited. If exploited, internal system components provide direct access to higher levels of privileges such as to databases and the file system. They are protected however by rings of security controls or what security industry calls defense in depth. Web systems are on the enterprise frontline. It is, therefore, unsurprising that other perimeter systems are less frequently exploited.


1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.