Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. Due to the always ‘on’ state of the internet, any application, whether it is the online branch of a bank, an online shop, or even an employee access portal, it is always available and therefore vulnerable to attacks. These vulnerabilities are increased even further by the high degree of complexity of the web scripts, frameworks and web technologies frequently used.
Attacks such as SQL injection, cross-site scripting or session hijacking are aimed at vulnerabilities in the web applications itself – and not at those on the network level. For this reason, traditional IT security systems such as firewalls or IDS/IPS are either totally unable to guard against these attacks or are incapable of offering comprehensive protection.
“Traditional IT security systems such as firewalls or IDS/IPS are either totally unable to guard against these attacks or are incapable of offering comprehensive protection.”
Any applications that may provide interactive access to potentially sensitive materials or expose the underlying servers and software, must be secured against malicious attacks or any unauthorized user access that have the power to modify or destroy data or stop critical system services.
Larger, more sophisticated organisations, have the most to lose if their applications fall prey to attacks, but the fallout from these can leave even the smallest organisations reeling. The possible effects of the non-availability or data loss in the web applications include:
Interruption of business processes (including those of customers or partners)
Loss of reputation
Damage compensation claims
Revocation of licenses
Loss of confidential information.
What can be done then, you ask? Well, the basic principle is starting at the beginning. This means that every application should be developed as securely as possible in the first place. This is because the later a vulnerability is detected in the life cycle of a web application, the greater the risk of a successful attack, and the larger the amount of work involved in correcting the issue.
In the development phase, methods such as static source code analysis help to promptly detect and rectify vulnerabilities in the code. This additionally includes penetration tests, ideally carried out by experts, which cover the vulnerabilities in the external behavior of the web application in productive operation as well.
“The one-size-fits-all approach doesn’t work when it comes to application security strategy. Every organization needs to adopt a customized approach for application security.”