Network devices such as firewalls are designed to segregate networks. And they perform that role effectively. Because of their specific scope of functionality they are designed and tested in a robust way. In addition, they are equipped with attack detection mechanisms and designed to fail safely. Only determined attackers with specific objectives would spend time and effort to attack firewalls.
On the other hand, web applications are tools for disseminating information, for communicating with customers, for selling goods and services, for building corporate identity and image. They are designed for dynamic aggregation of information, for linking users to databases, for interconnecting businesses, for collecting data. As such they are systems components closest to the corporate crown-jewel: information.
As companies and individuals rush to connect and disseminate information, ever more web applications are being developed quickly and with limited resources. Although everyone admits that it is important, information security is not the top priority when planning time to market for their products and services. Business owners' objectives are to minimize expenditure and this frequently results in security risk acceptance, or even ignorance.
Managing Information security risks represents the cost of doing business. Moreover that cost is often hidden and the impact is hard to measure. Data owners simply want to share and monetize their data. They are not motivated to think about what-ifs in security terms unless forced by laws and regulations, so they end up developing beautifully designed web applications that attract a mass audience, and are rich with features and functionality that can track and collect massive amounts of marketing data that helps companies to understand consumer demand.
Web applications help visitors find information on products, services and special offers, compare product features and prices, check feedback from other customers, make purchases with different payment options and track delivery of their packages. And users can do that from any device anywhere in the world. So can hackers in search of riches and weaknesses...
Protecting the crown jewels
There are many possible areas where weaknesses could be hidden. OWASP lists the top 10 web application weaknesses and how they evolve over time. It is of no surprise that data injections have topped the charts for a long time. Data injections are weaknesses in application logic. They are the result of an inability to predict all possible behavioral aspects of users when entering or searching for data.
There are of course methods for secure coding that provide best practices for mitigating such risks but they require skills and time to implement. Moreover, with every change to the underlying business process there is a change in the business logic that requires re-testing. If repeated testing would be effective with the automated scanners it would facilitate the task but for that human intelligence is indispensable. Code analysis can assist in identifying possible vulnerable areas. Ethical hacking can verify that vulnerability exists and how difficult it is to exploit injection vulnerability.
Sign up for CIO Asia eNewsletters.