SECURITY RESOURCES > FAQs
Web Application Security - Overview:
Ongoing security breaches have demonstrated how devastating attacks can be when targeting web applications with direct access to sensitive customer and business data. In many cases, decisions were made to purchase and deploy software that did not meet specific security requirements. Considering the potential for severe negative publicity, loss of customers, interruptions to business operations, and settlements with the Federal Trade Commission, the most likely assumption is that these decisions were made without sufficient assessment or knowledge of the software's security shortcomings.
All organizations that deploy internet-facing applications expose themselves to risk from insecure web applications. Commercial organizations, financial services firms and federal agencies become more likely targets for attackers as e-commerce, online banking, and other Web transactions increase in size and frequency.
Web application security is a significant element of compliance with the laws, regulations, and policies that govern an organization and its data. Weak application security can represent, for example, a significant control deficiency in terms of compliance with the Sarbanes-Oxley Act; potentially compromising the reliability of financial information and reporting.
Compliance guides for Commercial Organizations, Financial Services firms and Federal Agencies are available at the Ounce Labs' library.
Please refer to the appendixes of Software Security Assurance Guide for references to example laws and regulations related to information security, and cross-reference sources of guidance for assuring effective compliance practices.
Web application security issues result from errors during development that can be categorized into three key areas: insufficient processes or practices, inadequate skills or teams, and incomplete supporting technology. While security technologies are critical to an organization's web application security efforts, they must be paired with the right set of team and process improvements. To learn more about available web application security technologies as well as their benefits and shortcomings please refer to Ounce Labs' whitepaper The Top Web Application Vulnerabilities and How to Hunt Them Down at the Source.
When setting out to measure the security of a web application, there are a number of elements to consider. Direct measurements include the type of vulnerabilities as well as the presence of important security features, although information can also be gathered with an appraisal of the teams, policies, processes, and additional technologies that support the development effort. These indirect measures of an organization are highly predictive of whether an organization's products are secure or not.
Attributes that should be measured at the project level include security procedures in the software development lifecycle, development and testing technology, project personnel, and management structure. This information can be gathered by interviewing project participants, reviewing project documentation, evaluating training classes, or even by asking developers during security verifications.
Attributes that should be measured at the organizational level include training programs, procedures for setting policy and process standards, and investments in technology. This information can be gathered through formal appraisals or informally during interaction with security and development groups.
Evaluating these indirect measures of application security is especially helpful when working with an outsourced or commercial vendor. With outsourced projects, the buyer typically has access to the source code and can run their own assessments, but in both cases, it is important to verify that the organization and processes are conducive to secure development.
The cost to repair a web application security vulnerability during the early stages of source code program development is about 2% of the cost to repair that same flaw in a production environment. The repair cost does not take into account the potential costs associated with the exploit of security vulnerabilities.
Web application security has been underscored recently as businesses are driving tremendous advances in software functionality to keep up with worldwide growth and demands for better connection to critical data and assets. The explosion of web-enabled applications and web services in the past few years has outpaced most organizations' ability to keep up with new threats and security challenges in order to properly protect against them. Web applications are typically built under strict time pressures and often represent a collection of outsourced, open source, and in-house development to fulfill specific business needs. Even sophisticated development teams focus resources on verifying web applications do what they are supposed to do (functionality) instead of making sure they do not do what they are not supposed to do (security). Organizations need to be able to trust that these web applications have appropriate security mechanisms to thwart attacks and that the source code does not contain vulnerabilities that might expose networked resources.
It is irresponsible for organizations to subject themselves to unknown or unacceptable levels of risk in order to gain technical advantages. Vast improvements in workforce mobility, amount of data transferred, or number of transactions taking place can all be negated by a single web application security breach. This has become a demonstrable problem with business applications, as targeted web application attacks have led to massive fraud and data theft incidents. Cyber criminals continue to find increased financial incentive in targeting web applications, suggesting that we are unlikely to see this trend slow down any time soon.
To truly be informed about the security of a web application requires an understanding not only of the technical guts of the application, but also of the people, processes, and tools used to create the application. Only with this level of information can appropriate decisions be made to capitalize on applications without exposing critical resources to unacceptable risk.
The Path to a Secure Application: A Source Code Security Review Checklist, outlines how and where to look for security vulnerabilities, including what to look for and methods for examination.
The Dirty Dozen: The Top Web Application Vulnerabilities and How to Hunt Them Down at the Source presents top web application security vulnerabilities that managers, coders, and analysts should focus on to drastically improve web application security, and the technologies available to help in the hunt.
Opening the Black Box, an application security testing case study, discusses how companies can reliably verify and remediate the security of an application using source code during development or before deployment.
Web Application Security Assurance Addendum. This proposed contract language, developed with one of the nation's leading law firms, helps organizations outsourcing development ensure that the code being delivered is secure.
Software Security Audit Framework outlines the processes, controls, and tools needed to ask the right questions and get the right answers about software risk.
Compliance Guide for Commercial Organizations covers Sarbanes-Oxley, CobiT, COSO and ISO 17799 regulatory and compliance frameworks.
Compliance guide for Financial Services covers GLBA and the FFIEC, PCI, Sarbanes-Oxley, CobiT and ISO 17799 regulatory and compliance frameworks.
Compliance guide for Federal Agencies covers FISMA and DITSCAP / DIACAP regulatory and compliance frameworks.