CRITICAL NEWS FOR EXECUTIVES

Worried? You Should Be.

Vaclav Vincalek, Senior Correspondent

Make no mistake, web application vulnerabilities pose a serious threat to your business.

Firewalls and other perimeter security measures have been the prime focus for most organizations in their efforts to protect their systems from outside attackers. In recent years, the effectiveness of these have improved considerably making them harder to infiltrate. In the meantime, web-based applications are growing exponentially as more companies move their business processes online. These are now the target of choice for hackers as they are proving to be a viable (and easy) means for gaining access to back-end systems and sensitive data.
The appeal of web applications is in the quality of the code — or rather, the lack thereof.
Application level vulnerabilities are rarely tested for or even considered during development, especially in custom-built solutions. Hackers also know it is difficult to monitor unscrupulous activities at the application level.

What may look like a typical user engaging in normal activity according to your firewall may in fact be a hacker making repeated attempts to gain access to your systems through your website. Typically these attacks go unnoticed until a breach actually occurs and information is stolen or compromised. Currently, most organizations with public facing websites or applications make no effort whatsoever to manage these risks. Most business managers are not even aware of them, or simply assume that a good firewall is all that is needed.
Common attacks include website defacement, identity theft, data theft, and application shutdown. Not only can a breach pose a potential embarrassment, the consequences often are far more costly—loss of revenue, loss of intellectual property, failed compliance, devalued brand, loss of consumer confidence, etc.

Hackers can also use your site to launch attacks against your customers. Malicious code can be planted on your site and used to attack every visitor to your site via browser-based exploits. Neither you or your customer will even know it's there.
Currently, the retail industry is leading the way in web application vulnerability testing. This is directly attributable to the PCI compliance standards recently introduced for organizations processing credit card transactions. Non-compliance results in a hefty fine or the potential loss of credit processing privileges.
The bottom line is, any organization with a web presence should include penetration testing and code analysis of web applications as part of their overall security strategy. For more information visit pcis.com.

LEARN MORE ABOUT:
PCIS Web Audit
System Security

Vaclav Vincalek is president of PCIS, a Vancouver-based company that provides infrastructure and technology solutions to clients throughout North America.

"PCIS worked with us to identify the risks our web applications posed to our network and helped us fix them."

- Kevin Young
DataCorp Inc.

© 2008 PCIS Ltd.