Web Applications: The Path of Least Security Resistance for 2012

The one area most companies find themselves vulnerable in terms of IT security attacks invariably involves the applications they expose on the Web. It’s only natural because external-facing Web applications are the corporate assets that are most accessible to hackers.

In fact, the two most popular types of attacks routinely used against Web applications are SQL Injection, which involves getting a Web application to take an unauthorized action by injecting SQL statements into it, and cross-site scripting, which involves injecting client-side scripting into a Web page.

Neither of these attack vectors is particularly complicated nor sophisticated. But because Web application developers tend to overlook security issues, hackers routinely exploit these vulnerabilities to compromise the security of thousands of Web sites.

Most of those vulnerabilities can be discovered easily with application security scanning tools. But because there usually is a disconnect between the people who develop applications and the folks in charge of running the site, many of those vulnerabilities are not discovered until it’s too late. Many developers tend to think of security either as an afterthought or as something they're not directly responsible for. As a result, thousands of Web applications exist containing vulnerabilities that can be exploited easily by even the most inexperienced of hackers.

It may baffle some folks that this situation exists. But with millions of lines of code already accessible on the Web, remediating all the security issues in those applications has become a major challenge. But as developers are becoming more security-conscious, new Web applications (for the most part) are much less vulnerable to these types of attacks.

In the coming year it would behoove IT organizations to secure their Web applications by remediating existing vulnerabilities. In some cases, that may mean replacing those legacy Web applications altogether. Secondarily, they should take stronger measures to not only limit who can access those applications, but also secure the data that resides inside those applications.

Web applications are the frontline in a never-ending battle with hackers and other digital miscreants. The challenge facing IT organizations is how to best secure Web applications that have become the first door almost every cybercriminal tries to open.