Prepare for new attacks
Even with the most secure coding processes, attack techniques that take advantage of vulnerabilities on new types of applications – such as ones that are AJAX-enabled, whether written in Ruby on Rails or PHP languages, and deployed as an iFrame or mobile app – will be a fact of life and lead to zero-day exploits, warns Jeremiah Grossman, co-founder of web application security company WhiteHat Security.
“[The online collective] Anonymous is known to target websites using PHP File Include attacks, which are similar to SQL injections, whereby a remote intruder can execute commands on the server and compromise the system,” he says.
There's no after-the-fact solution that can be applied to fix all the millions of PHP applications already in circulation, he adds. However, developers need to be aware of these and problems with all their applications that house and process sensitive data.”
Until the burden of security is shifted back to development teams, the likelihood of SQL injections and other common attacks on web applications will only accelerate, Security Innovation's Adams says. “This is especially important as we push more of those applications out to mobile devices and the cloud.”