More than four out of every five (85 percent) U.S. businesses have experienced a data breach, according to a recent study by Colchester, Conn.-based law firm Scott + Scott, putting millions of consumers’ Social Security numbers and other sensitive information in the hands of criminals.
If a website’s server and applications are not protected from security vulnerabilities, identities, credit card information, and billions of dollars are at risk. Unfortunately, firewalls do not provide enough protection.
Firewalls, ids, ips Are Not Enough
Attackers are well-aware of the valuable information accessible through Web applications, and their attempts to get at it are often unwittingly assisted by several important factors. Conscientious organizations carefully protect their perimeters with intrusion detection systems and firewalls, but these firewalls must keep ports 80 and 443 (ssl) open to conduct online business. These ports represent open doors to attackers, who have figured out thousands of ways to penetrate Web applications.
Network firewalls are designed to secure the internal network perimeter, leaving organizations vulnerable to various application attacks. Intrusion Prevention and Detection Systems (ids/ips) do not provide thorough analysis of packet contents. Applications without an added layer of protection increase the risk of harmful attacks and extreme vulnerabilities.
In the past, security breaches occurred at the network level of the corporate systems. Today, hackers are manipulating web applications inside the corporate firewall. This entry enables them to access sensitive corporate and customer data. The standard security measures for protecting network traffic do not protect against web application level attacks.
Owasp’s Top 10 Web Application Security Vulnerabilities 2007
Open Web Application Security Project (Owasp), an organization that focuses on improving the security of application software, has put together a list of the top 10 web application security vulnerabilities.
1. Cross Site Scripting (xss)
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross Site Request Forgery (Csrf)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict URL Access
Web Application Security Consortium Most Common Vulnerabilities Report
The Web Application Security Consortium (Wasc) reported the top five web application vulnerabilities by testing 31,373 sites.
According to the Gartner Group, “97% of the over 300 web sites audited were found vulnerable to web application attack,” and “75% of the cyber attacks today are at the application level.”
Web application vulnerability assessment
From the information above it’s clear that most e-commerce websites are wide open to attack and easy victims when targeted. Intruders need only to exploit a single vulnerability.
A web application scanner, which protects applications and servers from hackers, must provide an automated internet security service that searches for software vulnerabilities within web applications.
A web application scan should crawl the entire website, analyze in-depth each & every file, and display the entire website structure. The scanner has to perform an automatic audit for common network security vulnerabilities while launching a series of simulated web attacks. Web Security Seal and free trial should be available.
A web application vulnerability Assessment should execute continuous dynamic tests combined with simulation web-application attacks during the scanning process.
The web application scanner must have a continually updated service database. A website security test should identify the security vulnerabilities and recommend the optimally matched solution.
The vulnerability check has to deliver an executive summary report to management and a detailed report to the technical teams with the severity levels of each vulnerability.
It is recommended that the detailed report include an in-depth technical explanation of each vulnerability as well as appropriate recommendations. The website security test will conduct subsequent vulnerability scans and generate trend analysis reports that allow the customer to compare tests and track progress.