Cyber security is a top concern in the IT industry today. In this series, we will look at various threats to cyber security - and what steps businesses can take to meet those security threats to information systems head on.
Hacking today is big business. Hackers put in long, hard hours for payoffs that can easily reach into the millions. Where do they strike? Well, in a recent survey commissioned by Sungard Availability Services*, the top 5 cyber security threats to information systems were identified as:
- vulnerable web applications (noted by 55% of respondents)
- being overall security “aware” (51%)
- out-of-date security patches (50%)
- failure to encrypt PCs and sensitive data (47%)
- obvious or missing passwords (44%)
I’d like to spend some time talking about the #1 security threat noted, vulnerable web applications, since it tends to be less understood than the others. After all, designing a security awareness program, establishing a patch management schedule, encrypting PCs and sensitive data, and enforcing strong passwords are all relatively straightforward activities. Securing vulnerable web applications is a different type of animal. Here are the 5 questions you need to ask if you want to counter this top security threat to your information systems.
Was this application created with security in mind?
Ask this question whether you are talking about an out-of-the-box purchased application or a homegrown application. Did the programmers inject security into the software development life cycle (SDLC) from the very beginning? Or was security an afterthoughts? “Oh, gosh, I guess we’d better secure this in some way before we actually use it.”
If security was a concern from the start, it will have been worked into all the sub-levels of the application. If it was an afterthought, you might be looking at a nice, shiny security “veneer” that has no substance to it.
Has input validation been addressed?
The biggest issue in securing a web application often revolves around Input Validation, or IV. When somebody is inputting data into the application, it is important to verify (or validate) that it is real, relevant data. Input validation prevents hackers from inputting codes or commands that will allow them to penetrate the system, and ensures that no sensitive data is outputted from the application.
Have session management restrictions been set in place?
Every user of a web application should be in his or her own individual session. Session management ensures that a user (or hacker) can’t jump into another user’s session and view their information. For example, if someone is looking up their bank account online, session management guarantees that nobody can see into – and seize – those funds.
Is the information used by the application properly encrypted?
Encrypting data once it has been entered in the application is one thing. It is another to encrypt the data as it moves, internally and externally. Encryption of data at rest and data in motion is critical for your company and your clients’ security.
Has the application’s security been audited and tested?
Take nothing for granted! Perform rigorous penetration tests regularly to ensure that your web applications are as secure as you think they are. Remember, the hackers are getting more sophisticated all the time – your web application security had better keep in step or your entire information security system will be at risk.
For more information, I encourage you to check out the Open Web Application Security Project (OWASP) Top Ten - a powerful awareness document for web application security. Vulnerable web applications may be the greatest threat to our information systems today. But with strategic action guided by these 5 questions, we can change that for tomorrow.
*The survey, commissioned by Sungard Availability Services, was conducted by SurveyMonkey Audience. The survey reached 276 IT professionals and was completed in December 2014.