Safe development: Safeguarding web applications

Share this article:
Safe development: Safeguarding web applications
Safe development: Safeguarding web applications

To secure web applications, makers must take ownership of their lifecycle management, reports Deb Radcliff.

LulzSec uses zero-day on PBS! Hacker group raids Sony Pictures in latest breach! Mass injection campaign affects 3.8 million pages!  

These are just some of the web application breach events to make headlines in 2011. In just the first half of this year, the number of attacks on websites increased by 65 percent over 2010, and surpassed the total number of attacks tracked in all of 2009, according to HP's “2011 Mid-year Top Cybersecurity Risks Report.”

Most troubling is that the exploits into these applications – SQL injection attacks, cross-site scripting (XSS) and buffer overflows – continue to take advantage of vulnerabilities in the code and functional aspects of applications that security experts have known about for decades, says Ed Adams (left), CEO of Security Innovation, a software, training and consulting services company based in Wilmington, Mass. 

“Today, it is inexcusable to allow a SQL injection into a public-facing web application where criminals can extract data on customers, take down servers or set up drive-by downloads onto victim browsers,” he says. “And yet, all too often, these things occur.”

Frameworks and tools are available to create cradle-to-grave policy around secure application development and maintenance. Yet these SQL, XSS and overflow vulnerabilities remain among the top web application security risks, according to listings by the Open Web Application Security Project (OWASP), the SANS Institute, and others. 

What's needed, many experts say, is a wholesale shift toward secure coding and application development practices. Yet, despite the sense in creating strong foundations, builders often leave the safety aspects of their applications to people who have little coding background.

Page 1 of 4
Share this article:
close

Next Article in Features

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.