To secure web applications, makers must take ownership of their lifecycle management, reports Deb Radcliff.
LulzSec uses zero-day on PBS! Hacker group raids Sony Pictures in latest breach! Mass injection campaign affects 3.8 million pages!
These are just some of the web application breach events to make headlines in 2011. In just the first half of this year, the number of attacks on websites increased by 65 percent over 2010, and surpassed the total number of attacks tracked in all of 2009, according to HP's “2011 Mid-year Top Cybersecurity Risks Report.”
Most troubling is that the exploits into these applications – SQL injection attacks, cross-site scripting (XSS) and buffer overflows – continue to take advantage of vulnerabilities in the code and functional aspects of applications that security experts have known about for decades, says Ed Adams (left), CEO of Security Innovation, a software, training and consulting services company based in Wilmington, Mass.
“Today, it is inexcusable to allow a SQL injection into a public-facing web application where criminals can extract data on customers, take down servers or set up drive-by downloads onto victim browsers,” he says. “And yet, all too often, these things occur.”
Frameworks and tools are available to create cradle-to-grave policy around secure application development and maintenance. Yet these SQL, XSS and overflow vulnerabilities remain among the top web application security risks, according to listings by the Open Web Application Security Project (OWASP), the SANS Institute, and others.
What's needed, many experts say, is a wholesale shift toward secure coding and application development practices. Yet, despite the sense in creating strong foundations, builders often leave the safety aspects of their applications to people who have little coding background.