The web application layer is prompting the most worries among security pros, Rob Lamb, vice president of IBM security products, said Wednesday at the SC Congress Canada in Toronto.
A poll of approximately 30 attendees during the session concurred with his assessment. Participants were more concerned about vulnerabilities in web applications than flaws affecting the network, virtual environments, servers and endpoints.
For an attacker, trying to find sensitive information after breaking into an organization's network is like looking for a “needle in a haystack,” Lamb said.
When an attacker breaks in through a web app, on the other hand, sensitive data is often easily accessible, he said.
As a best practice, organizations should evaluate the source code of applications for flaws and aim to discover them early in the development process, Lamb said. Bugs in web apps are easier and quicker to mitigate during the development process than afterward.
In addition, organizations should have a third-party assessor validate the security of web apps.
Robert Knoblauch, manager of information security operations at the Bank of Montreal, who joined Lamb on the panel, said his organization does not just rely on one tool to mitigate web app threats.
His organization uses several to verify the results of any one tool.