Web applications (web apps) are no new words for us. They have possibly entered every crucial segment of our lives, including out businesses too. Business applications for accounting, collaboration, customer relationship Management (CRM), Enterprise Resource Management (ERP), content management, online banking, E-commerce, and many more, are all available on the Web. They have increased the speed and accessibility to business information for an organization’s customers, partners and employees, and at the same time, allowing savings. Not only has everything moved to web apps, they all host valuable, sensitive organisational data!
Cyber criminals very well realise this and hence today, Web apps are the most common target for attack, because they are everywhere and provide simple entry to virtually any organization’s profitable data. Talking about the most commonly used attacks targeting Web apps hosted within an organization’s local network or in private data centers, we have SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), OS command injection, session hijacking and buffer overflows.
A study done by the Ponemon Institute in 2011 reveals that 73 percent of organizations have been hacked in a span of 24 months, precisely because of weakness in their web applications! The main reason for the security gap is that more than half of the organizations still rely on the security of their traditional network firewalls to protect their web apps.
As new web apps are coming so are the vulnerabilities in them
Organizations continuously build up new web-based applications to meet their exclusive needs. Such high demands creates high-pressure environment for programmers which is less than ideal, especially when it involves developing never-ending enhancements and new functionalities. Without proper and secure software development practices, inserting even the smallest feature/application on the web can lead to incomprehensible vulnerabilities. Besides these, elements like logic flaws, forgotten backup files, debug code, and other development and production related vulnerabilities are a regular challenge to the security of websites and other Web apps in organizations.
Securing the bigger picture around Web Applications
There are many Web application attacks that have nothing to do with developers and coding errors. Many times the threat comes from the language, protocol or the platform that supports the delivery of these applications, which can be termed as the environment surrounding the web apps. The main reason the majority of Web application attacks are successful today is due to the fact that the attackers come in the same way any legitimate user would -all without disturbing the sanctity of RFC’s or W3C standards.
Solution to such loop-holes in web applications can be many and comprehensive. But one simple and one stop solution would be a new breed of Web Application Firewalls is the solution that is capable of protecting corporate data, observe regulatory compliance like the PCI DSS, and safeguard their brand, reputation and customers.