An onslaught of cyberattacks, including some high profile breaches at Heartland Payment Systems, government agencies, Facebook, Twitter, RockYou, and, most recently, at Google, continues. Websites (web applications) across the globe remain vulnerable and ripe for hackers to exploit. Although good progress has been made in the last 12 months by some sectors, we have a long way to go when it comes to securing websites with a methodical and disciplined approach.
I wonder about the root cause of this inertia. If you knew that your house is likely to get attacked, wouldn't you try to fix all the doors and windows, get locks and alarms, and take other precautions? So, why is it that in spite of some well publicized attacks and regulations, there's not a massive adoption of a process and solutions to secure websites?
After talking to hundreds of companies, government agencies, and industry luminaries over the past few years, I have narrowed down the reasons behind this phenomenon to a few myths and real inhibitors, which I explained below.
Top 5 Myths around Web application security
It turns out that many IT professionals and business line managers still believe that their existing security measures are enough to protect their websites. Here are some of the common myths.
· I have SSL so my Web sites are secure: Well, Secure Socket Layer (SSL) has its place in helping provide some protection to the consumers while they are conducting transactions online. However, it does nothing to protect hackers from hacking into websites. So, the SSL lock symbols on most of the sites can be misleading.
· I have never been hacked so I am fine: Gone are the days when hackers used to hack to gain fame. Now, most web hacking is done by organized criminals and in some cases by government sponsored organizations. These guys don't want you to know that you are being hacked.
· I can test my web application once a year: Every month there are 400+ new application related vulnerabilities and hackers know about them. Also, every time you make any change to a web application, you have to make sure that there are no new vulnerabilities.
· Application Security is painful to implement: Although it's more difficult to secure web applications than the network layer and desktops, there are many easy solutions to get your process jump started. Like all initiatives, once you get going, the road gets less bumpy.
· I am PCI compliant: You have to protect your web applications to secure your most important asset – customer information. If your applications are secure, you'll pass the audit and comply with regulations. The reverse is not necessarily true.
Inhibitors
· Budget: Many companies still haven't set aside a budget for application security. A lot of times application security is part of a bigger bucket of security budget. If too much money gets spent on network security, identify management, data leakage prevention, etc. sometimes there's not enough left for applications.
· Lack of education: Many IT people, especially in the upper management are not fully aware of the implications of securing their web applications.
· Lack of expertise: Even when an organization is committed to implementing an application security program, they might not have the right expertise to create the right processes.
· Unclear standards: Regulatory standards can help organizations in focusing on the right priorities and in obtaining a budget. Most of the current regulations are very broad for security without much clarity for application security.
· Attacks are not publicized: In spite of continuous attacks at the web application layer, many of these attacks are not publicized or are not publicized with the application security breaches highlighted.
All indications are that cyberattacks at the web application layer will continue to rise in the coming months and years. With close to 80 percent of vulnerabilities in web applications and more than 75 percent of attacks happening through the websites, the question is not IF you will get attacked, but WHEN.
It's very easy to get started with a web security program. There's a lot of help available to move you along the process. You just need to take that first step.
