Enterprises need to boost web application security

Share this article:

Web application security - or lack of security because companies don't pay enough attention to protecting their internet applications -was a topic of debate at the Black Hat Briefings Thursday in Las Vegas.

Enterprises are still held up by not doing the basics correctly when developing web applications, said Paul Proctor, analyst at research firm META Group. "They're not even looking at security as part of the development lifecycle," he said.

Caleb Sima, CTO and co-founder of web application security provider SPI Dynamics, said the fundamental problem stems from the pressure placed on developers to meet deadlines and focus on features rather than security. Tools that assess the security of web applications can help identify a majority of vulnerabilities, he said.

"That assumes they use the tools properly," Proctor responded. Jerimiah Grossman, CEO of WhiteHat Security, said, "Running a tool on your site isn't necessarily due diligence," but Sima countered that it shows initiative on the part of the company to address the issue.

Assessment services, or penetration tests, are another system companies rely on for securing their web applications but companies often don't bring in consultants to perform security assessments until the application is already going live, panelists said. "It's always the last check mark they have," noted Frank Lam, senior manager, Deloitte & Touche.

Panelists agreed that developers need security training, but Sima said that many companies don't have the money or time to train all their developers. "The easiest way to train developers is to make it easier for them" to implement security, he added. Performing input validation on web applications can eliminate many vulnerabilities, he said.

Designing web applications securely from the start is key, Proctor said. The cost of fixing security flaws after an application is released is 60 times more than the cost of fixing it in development, he said.

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.