Web Application Security is an On-going Commitment due to Highly Dynamic Hacking Risks, Says Frost & Sullivan
September 2012 by High-Tech Bridge, MITRE et Online Trust Alliance (OTA)
Web applications remain the third most common attack vector overall, with hacking still on the increase, from organised criminal groups, amateurs and political activists. Complex technology, growing adoption of web 2.0 functionality and powerful features of HTML5 have enhanced the opportunity for hackers to exploit vulnerabilities. The consequences of a compromised web application can go way beyond the web server: a number of high-profile attacks with prestigious companies caused millions USD in losses. All organisations are potential victims. To protect themselves they should form long-term partnerships with reputable security companies providing individual solutions that will optimise web application security.
Frost & Sullivan’s recent White Paper (WP) discusses the growing threat to web applications putting it into its right business context. Describing the mysterious world of web applications hacking, the paper gives also an overview of the likely victims and outlines what are the solutions for organisations to protect themselves. The paper benefits from the insight and experience of leading security companies and organizations, like MITRE, High-Tech Bridge, and Online Trust Alliance (OTA), who have provided excellent support to Frost & Sullivan during the WP review.
"According to High-Tech Bridge, as many as three out of four successful network intrusions start and/or involve an unsecured web application," says Frost & Sullivan analyst, Chris Rodriguez. "By ‘network intrusion’ we mean attacks where the goal is to achieve an ongoing access." The attack becomes categorised as an advanced persistent threat (APT), which purpose is always to steal data, rather than to cause damage. APTs target organisations in sectors with high-value information, such as defence, manufacturing and finance.
The complexity of an attack and the victim’s internal architecture will determine how much damage a hacker can do. The database structure behind a website is much more important than the structure of the website itself. In almost every case, a compromised web application gives unlimited access to all the resources that the web application uses, including databases.
"Hackers frequently attack the trusted partners of their real victims," adds Rodriguez. "Web developers usually consider partners to be trusted parties and take insufficient security measures. However, organisations must be vigilant that their partners ensure the protection of their accounts against breaches and misuse."
An organisation can never be certain to have zero vulnerabilities on their website even if the utmost care is taken during development; there is no way that we can future-proof out code. Developers can only take into account vulnerabilities that are known at the time of development. "A web application can be safe today and then vulnerable tomorrow," notes Rodriguez. "That is why security is an on-going commitment."
No modern application can be made 100 per cent secure and still be 100 per cent functional and user-friendly. Layered security is a sensible approach to optimising security, by deploying intrusion detection and intrusion prevention systems (IDS/IPS) at different points of the network, even inside the corporate firewall (to mitigate the threat from insiders). A less complicated and expensive solution to monitor and filter malicious traffic to web applications is a Web Application Firewall (WAF).
"Organisations, however, should understand that it is a very precarious practice and approach for information security to rely solely on application security from any third-parties solutions, like IPS or WAF," advices Rodriguez. "The best and the most efficient approach is to assure that the application code itself is safe and does not contain any known vulnerabilities or weaknesses. This is why regular penetration testing of web applications remains vitally important, even in organisations that have deployed IPS/WAF solutions."
Hacking is highly dynamic, and new vulnerabilities are discovered as quickly as known vulnerabilities are patched. Website owners must strike the right balance between functionality, user friendliness and security. Consequently, organisations cannot achieve web application security, but they should certainly strive to optimise security.
"Developing a security-conscious culture is a step in the right direction," summarises Rodriquez. "To complete the journey, we recommend that organisations form real, long-term partnerships with stable, reputable security companies capable of providing the individual solutions that will optimise web application security."
If you would like to learn more about web application security and/or receive a complimentary White Paper on "The Growing Hacking Threat to websites: An On-going Commitment to Web Application Security", please send an email to Joanna Lewandowska, Corporate Communications, at Joanna.firstname.lastname@example.org. Please include your full contact details in the query.
The White Paper can also be viewed on Slideshare:
The Growing Hacking Threat to Websites, an Ongoing Commitment to Web Application Security from Frost & Sullivan About Frost & Sullivan
Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants.
Our "Growth Partnership" supports clients by addressing these opportunities and incorporating two key elements driving visionary innovation: The Integrated Value Proposition and The Partnership Infrastructure.
The Integrated Value Proposition provides support to our clients throughout all phases of their journey to visionary innovation including: research, analysis, strategy, vision, innovation and implementation.
The Partnership Infrastructure is entirely unique as it constructs the foundation upon which visionary innovation becomes possible. This includes our 360 degree research, comprehensive industry coverage, career best practices as well as our global footprint of more than 40 offices.
For more than 50 years, we have been developing growth strategies for the global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies?