Two of the most significant technological developments recent years are the rapid rise of web application development and use among companies and consumers as well as the increasing awareness of threats posed by cybercriminals. Consequently, it seems natural that Web application security would be widely seen as a critical priority for organizations of all kinds.
Yet according to industry expert Illia Kolochenko, this is not the case. Writing for SC Magazine, Kolochenko asserted that many corporations consider information security to be a relatively low priority, and their Web applications are seriously vulnerable as a result.
Web application issues
The author noted that while advanced web hacking techniques exist, they are typically not necessary for cybercriminals looking to infiltrate a given site. Many websites, he explained, feature vulnerabilities that make them susceptible to even rudimentary attacks.
This is a serious problem for firms, especially larger organizations.
"A website hack can be catastrophic for [a corporation's] reputation as the breach is clearly visible to everybody, and is often the subject of a media frenzy followed by flaming in social networks," Kolochenko argued.
Making matters worse, the writer pointed out that the number of Web applications in use among large companies has increased exponentially in recent years. However, this trend has not led such organizations to similarly increase their application-focused IT security efforts.
"All this introduces a huge headache for security departments who have to manage hundreds of interconnected problems at once," Kolochenko wrote. "Although the IT security budgets of corporates are large, quite often they are not spent on penetration testing and security auditing."
Further exacerbating this situation is the fact that, due to financial pressure, many companies release Web applications without fully testing them, Kolochenko argued.
"Sometimes developers are working 24/7 to release a new feature in a Web application before a competitor does, leaving the IT security team unable to test application security in time," he explained.
Without this testing, any company or individual that subsequently embraces such offerings will immediately be at risk of suffering a data breach and all of its attendant problems.
While there is no sure-fire way for companies to protect themselves from these risks, testing can go a long way toward more secure Web applications.
Specifically, Kolochenko pointed to automated vulnerability scanners as a key resource for companies concerned about these issues. While acknowledging that such tools are not perfect, he emphasized that scanning solutions and techniques have made "great progress" over the past 10 years and are now able to detect a wide range of Web-based vulnerabilities. Static code analysis, for example, is able to find many common security vulnerabilities well before web application code is even checked in. This reduces the time needed for bug fixing and, more importantly, prevents security risks from getting out into the field.
To experience these benefits, though, it is imperative for businesses not only to embrace vulnerability scanning solutions, but to seek out the industry-leading options in this area. Considering the diversity of today's cyberthreats and the evolving nature of this environment, only robust, advanced application security tools can provide sufficient protection.