Why is it that so many people struggle to get their arms around web and application security? Some of the answers to this question are quite obvious, but others are less so. Having tested the security of hundreds of applications over the past decade and a half, I’ve concluded that web security breakdowns occur for numerous reason that deserve our attention.
Nine Common Web Security Challenges
Below are nine of the most common security challenges that I believe are behind the big — and not so big — cybersecurity incidents and data breaches of our time.
1. Lack of Security Requirements and Standards
In many cases, developers drive specific security requirements rather than the larger business units. This lax and inconsistent approach often stems from a lack of organizationwide security standards. Certain standards might be implemented by third-party developers, but they’re sometimes not considered part of the application architecture at all.
2. Lack of Formal Security Training for Developers and QA Professionals
Just like I can’t be expected to write solid code or uncover every software quality issue, developers and quality assurance (QA) professionals can’t be expected to know all things related to security. That said, there are many missed opportunities throughout the software and systems development life cycle for both developers and QA professionals to prevent or uncover common security flaws and keep them from ever reaching production status. Simply following a framework, such as the Open Web Application Security Project (OWASP) Top 10, can be a tremendous benefit. However, most developers and QA professionals I’ve spoken to have never heard of it.
3. Lack of Security Leadership
I see a lot of organizations — mostly smaller startups and midmarket businesses — talk about security, but there’s minimal substance behind it. Even in larger enterprises with dedicated security executive roles, bureaucracy and protectionism — IT executives protecting their own interests — often get in the way of security.
4. Improper Security Testing
Websites and applications are often included in generic vulnerability and penetration testing efforts and are not properly evaluated. Generic network vulnerability scans against web applications simply aren’t enough — security teams need dedicated vulnerability scanners. It is critical to conduct authenticated testing using different web vulnerability scanners, web proxies and related tools. Even source code analysis can prove beneficial in many situations.
5. Insufficient Security Controls
Staging, QA and development systems are often exposed to the internet but don’t have the same security controls that production web environments have. They’re not behind web application firewalls, they’re often unpatched, and they’re rarely afforded the protections of proactive system monitoring and alerting.
The real problem is that they often house production data that has not been de-identified, encrypted or otherwise protected. This data is exposed to anyone out on the internet or anyone with internal network access. When something nefarious happens in this context, odds are good that no one will ever know about it.
6. Unknown Websites and Applications
Many websites and applications are unknown and, therefore, unprotected. In many organizations, numerous web systems go without security scrutiny. Either they are deemed unimportant or they are unknown altogether. Some of these sites and apps are initially set up by people outside of development and IT, which causes them to fly under the radar of web security oversight.
7. The Wrong People Conduct Vulnerability Testing
In some organizations, the wrong people are testing for web security flaws. Internal security teams often do the testing with no external or independent evaluation. This might be sufficient in the context of security, but compliance regulations could mandate that independent third parties perform this work, at least periodically.
I often see external vendors performing their own “testing,” which usually just amounts to nothing but basic vulnerability scans. I also see a lot of people relying on audit reports to make web-related security decisions. Such audits are great for finding security gaps in and around the data center, but they effectively mean nothing in terms of specific web application vulnerabilities.
8. Overreliance on Documented Policies
Some executives rely solely on documented security policies to keep systems protected. In the grand scheme of things, security policies do very little to protect web environments from exploits. Sure, they set the expectations of those who bother to read them. However, other than appeasing auditors, policies add little value to a web security program.
9. Poor Incident Response Planning
Many security teams have no plans to address the risks that they uncover. A common web security gap occurs when vulnerabilities and risks are identified but the solutions never see the light of day. Seeing things through — especially the most urgent issues regarding your most important systems — is absolutely crucial. Just ask some of the people involved with the big security incidents we see and hear about every day. Prompt action pays great dividends.
Strengthening Weak Links in the Security Chain
Whether web security is an informal component of your overall IT program or you have dedicated SecDevOps procedures to oversee it all, you’ll find that most security challenges come with hair on top — in other words, people. To make a security program work for, rather than against, your organization, you must acknowledge and overcome these hurdles.
One or more of these challenges undoubtedly exists within your organization. Get the right people involved, identify the gaps and vow to make the appropriate adjustments by educating employees, spreading awareness and uniting disparate departments under one cohesive web security strategy.
Download the E-Guide: Five Steps to Achieve Risk-based Application Security Management
Independent Information Security Consultant
Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle Logic, LLC. With over 29 years of experienc...