Enterprises need to boost web application security

Share this article:

Web application security - or lack of security because companies don't pay enough attention to protecting their internet applications -was a topic of debate at the Black Hat Briefings Thursday in Las Vegas.

Enterprises are still held up by not doing the basics correctly when developing web applications, said Paul Proctor, analyst at research firm META Group. "They're not even looking at security as part of the development lifecycle," he said.

Caleb Sima, CTO and co-founder of web application security provider SPI Dynamics, said the fundamental problem stems from the pressure placed on developers to meet deadlines and focus on features rather than security. Tools that assess the security of web applications can help identify a majority of vulnerabilities, he said.

"That assumes they use the tools properly," Proctor responded. Jerimiah Grossman, CEO of WhiteHat Security, said, "Running a tool on your site isn't necessarily due diligence," but Sima countered that it shows initiative on the part of the company to address the issue.

Assessment services, or penetration tests, are another system companies rely on for securing their web applications but companies often don't bring in consultants to perform security assessments until the application is already going live, panelists said. "It's always the last check mark they have," noted Frank Lam, senior manager, Deloitte & Touche.

Panelists agreed that developers need security training, but Sima said that many companies don't have the money or time to train all their developers. "The easiest way to train developers is to make it easier for them" to implement security, he added. Performing input validation on web applications can eliminate many vulnerabilities, he said.

Designing web applications securely from the start is key, Proctor said. The cost of fixing security flaws after an application is released is 60 times more than the cost of fixing it in development, he said.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.