Website security is today’s most overlooked aspect of securing the enterprise and should be a priority in any organization.

Increasingly, hackers are concentrating their efforts on web-based applications – shopping carts, forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere in the world, insecure web applications provide easy access to backend corporate databases and also allow hackers to perform illegal activities using the attacked sites.

A victim’s website can be used to launch criminal activities such as hosting phishing sites or to transfer illicit content, while abusing the website’s bandwidth and making its owner liable for these unlawful acts.

Hackers already have a wide repertoire of attacks that they regularly launch against organizations including SQL Injection, Cross Site Scripting, Directory Traversal Attacks, Parameter Manipulation (e.g., URL, Cookie, HTTP headers, web forms), Authentication Attacks, Directory Enumeration and other exploits.

Web applications – shopping carts, forms, login pages, dynamic content, and other bespoke applications – are designed to allow your website visitors to retrieve and submit dynamic content including varying levels of personal and sensitive data.

If these web applications are not secure, then your entire database of sensitive information is at serious risk. A Gartner Group study reveals that 75% of cyber-attacks are done at the web application level.

Why are web applications vulnerable?

• Websites and web applications are easily available via the internet 24 hours a day, 7 days a week to customers, employees, suppliers and therefore also hackers.
• Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public.
• Web applications often have direct access to backend data such as customer databases.
• Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack.
• Various high-profile hacking attacks have proven that web application security remains the most critical. If your web applications are compromised, hackers will have complete access to your backend data even though your firewall is configured correctly and your operating system and applications are patched repeatedly. 

Network security defense provides no protection against web application attacks since these are launched on port 80 which has to remain open to allow regular operation of the business. It is therefore imperative that you regularly and consistently audit your web applications for exploitable vulnerabilities.

Why Web Application Security Should be Part of Your Web Risk Management Program?

There are many reasons your organization should identify and address web application security vulnerabilities as part of your web risk management program:

• Reduce Cost of Recovery and Fixes — Computer security attacks cost as much as $10 billion a year.
• Ensure Customer Trust — Trust is a key component to customer adoption and retention.
• Encourage Website Adoption — Consumers are still not adopting websites as a preferred channel for doing business. The Tower Group cited that 26 percent of customers don’t use online banking for security fears and another 6 percent do not due to privacy issues.
• Maintain Competitive Advantage — Many organizations are using trust as a key competitive advantage and are leveraging customer fears to proactively implement security and privacy programs to ease the uncertainty.
• Reduce Cost of Manual and Outsourced Security Testing — Many organizations today, especially ones in regulated industries, test security using costly manual processes that cannot address all potential website risks. Other organizations spend millions on outsourced security assessment and ethical hacking resources.