CRITICAL NEWS FOR IT PROFESSIONALS

Web Applications: Hidden Achilles Heel in Security

Vaclav Vincalek, Senior Correspondent

Just when you thought it was safe to go back in the water

Application level vulnerabilities typically result from poorly or inadequately written code. Either the developer didn’t know to take security into account, or didn’t bother. Regardless, web application vulnerabilities are now the fastest growing threat to network security on the Internet.
Although custom-built applications are notorious for security flaws, even well established vendor products provide new opportunities for hackers to gain access to the systems they are running on. Case in point is the recent cross-site scripting exploits uncovered in compiled Flash files. How long has Flash been around? A long time. Although the vendor made a patch available soon after the vulnerability was detected, the onus is on individual website owners to download and install the patch, and then recompile all Flash files used on their sites in order to eliminate the threat. How many Flash files do you suppose there are on the Internet?

If you’re thinking your web application won’t get hacked because you are a low-profile business or small organization — think again. In early 2008, an automated mass SQL injection attack compromised nearly 70,000 websites in a single attack. The attack did not target specific sites or well-know companies, it simply took a random sampling and searched for a common set of known vulnerabilities to exploit.
The Open Web Application Security Project (OWASP) publishes an annual list of the top 10 most serious web vulnerabilities. The list for 2007 is currently on their website. By the end of 2008, this list will have changed again. In other words, without modifying even a single line of code in your once secure web application, eventually a vulnerability of some kind is likely to be uncovered. It is for this reason that companies must remain vigilant in regularly testing their web applications to ensure that systems and data remain protected. Software-as-a-service providers should take particular care as it is not just

the application data at risk, but the backend systems the applications are actually hosted on.
Penetration testing and code analysis are both effective in identifying vulnerabilities in your web-based applications. Even organizations that do not use their public facing servers to collect or store sensitive data should be testing their sites. At the very least they run the risk of having their websites defaced, resulting in potential embarrassment, damage to their brand, or a loss of public trust. A more serious threat is the risk of malicious code being planted on the website. Suddenly every visitor or customer to the site is at risk of browser-based attacks from what they would have considered to be a known and trusted site—your website.

For more information on web application vulnerabilities, visit: www.pcis.com.

LEARN MORE ABOUT:
PCIS Web Audit
System Security
Astaro Internet Security

Vaclav Vincalek is president of PCIS, a Vancouver-based company that provides infrastructure and technology solutions to clients throughout North America.

"PCIS worked with us to identify the risks our web applications posed to our network and helped us fix them."

- Kevin Young
DataCorp Inc.

© 2008 PCIS Ltd.