When I ask people what steps they have taken to secure their infrastructure, I get the usual answers.
"We keep our servers up to date with the latest security patches."
"We have implemented a defense-in-depth network architecture with firewalls, intrusions detection systems, and installed the latest security appliances."
"Our employees are regularly trained on proper security procedures."
While all these answers are valid and should be part of any security program, one answer I rarely hear is "We regularly perform security assessments of our web applications."
Throughout the 90's and early 2000's, most security technologies and threats were based at the network and operating system levels. Best security practices focused on operating system patch levels, strong network design, and network based security products like firewalls. Now that most companies have security protection around these areas in place, attackers are turning to other avenues of attack including web applications. The phrase "web application" can encompass a lot of things, including your corporate web site, web based email, intranet portal, or e-commerce sites. Any of these applications can create significant holes in your security defenses.
Web applications are often developed very quickly and with little consideration of security. This can result in some serious security holes since many web applications are connected to critical backend databases. Almost weekly, I learn of a new and clever attack against web applications. Some of these attacks are very subtle and require careful design to protect against. Are your developers staying current with the latest threats and vulnerabilities? An excellent source of information on the latest threats and security guidelines is the Open Web Application Security Project (OWASP ? www.owasp.org). OWASP is a worldwide community dedicated to application security. One of its most valuable features is its Top 10 most serious web application vulnerabilities list. This list provides a glimpse of the current attack trends and targets. I would encourage you to make sure your developers are familiar with this resource and have addressed all 10 issues in your web applications.
True Digital Security is well positioned to help you in this ever evolving battle. Please don't hesitate to give us a call if you have any questions or would like to learn more.