The technologies that enable a rich Internet browsing experience and tap into social networks to extend an enterprise’s reach offer many potential benefits, but also can become a dangerous weapon that enables attackers to gain access to corporate networks, according to a new white paper.
The most important first steps are to ensure organizational leadership understands the issue and the potential impact of Web application vulnerabilities and, based on that understanding, commit their support and the resources required to accomplish the task.
Companies are replacing client or client-server applications with Web applications for a variety of reasons, including the need to simplify license management, avoid operating system compatibility issues and appease the increasing number of remote workers. But those Web applications contain a significant number of vulnerabilities, including their accessibility to external attackers, that should make securing them a priority for IT security pros, ISACA said.
“These two factors, combined with an ever-increasing number of threat agents, have resulted in countless cases of personal information breaches, disruption of service and theft of intellectual property,” the organization stated in its report. “These unfortunate events are costing corporations millions of dollars in fines, lost sales, customer attrition, and other associated costs, such as customer notification and credit monitoring, not to mention loss of confidence from investors and potential business partners.”
Web application risks
Web applications that enable collaboration and tie into social networks to extend a company’s reach to customers, partners and suppliers, help organizations gain visibility and market share, but also pose potential security problems. ISACA is urging enterprise CISOs to conduct a review of the company’s software development lifecycle and make incremental improvements to address common coding errors. Frameworks and methodologies like the Building Security In Maturity Model (BSIMM), in its third iteration, which can help organizations compare their processes to the best practices of larger organizations.
“If the answer to Web application security was simply to make sure programmers know how to write secure code and then get out of the way, the problem would be fairly simple to address,” ISACA said. “However, Web applications, like any other IT resource, are part of a large, complex system and they are impacted by numerous factors, some of which have little to do with technology.”
ISACA is advocating CISOs take a systems-based approach using the association’s Business Model for Information Security (BMIS). The model promotes getting support from senior-level executives, conducting a business impact assessment on certain Web applications and addressing training, policies and deploying technical controls to address applications containing legacy code.
The report said the most common Web application vulnerabilities continue to go unaddressed. SQL injection and cross-site scripting remain the most critical flaws and the easiest for attackers -- with automated toolkits designed to quickly scour the Internet to detect errors in Web applications -- to exploit. Information leakage, also a common error, happens when a Web application exposes sensitive data, mainly data about the corporate network the application is tied into. The problem is common in Web-based applications that tie into social networking sites giving attackers information that enable them to penetrate the network.
“Despite the impact that can result from not addressing Web application vulnerabilities, it seems that many, if not most enterprises, are not taking significant steps to address the issue,” ISACA said. “Despite all of the available knowledge and resources, all indicators point to the problem continuing to worsen.”
The ISACA report also claims organizations can easily misinterpret the latest Verizon “2011 Data Breach Investigations Report,” which found Web applications are no longer the leading choice of attackers. The Verizon report goes on to say the data is skewed by breaches investigated in the retail and hospitality industries. Removing those sectors pushes Web applications as the No. 1 attack vector of cybercriminals.
“There is a significant amount of information and support available, much of it free, that can provide assistance in this endeavor, but the most important first steps are to ensure organizational leadership understands the issue and the potential impact of Web application vulnerabilities and, based on that understanding, commit their support and the resources required to accomplish the task,” ISACA said.