Why is it that so many people struggle to get their arms around web and application security? Some of the answers to this question are quite obvious, but others are less so. Having tested the security of hundreds of applications over the past decade and a half, I’ve concluded that web security breakdowns occur for numerous reason that deserve our attention.

Nine Common Web Security Challenges

Below are nine of the most common security challenges that I believe are behind the big — and not so big — cybersecurity incidents and data breaches of our time.

1. Lack of Security Requirements and Standards

In many cases, developers drive specific security requirements rather than the larger business units. This lax and inconsistent approach often stems from a lack of organizationwide security standards. Certain standards might be implemented by third-party developers, but they’re sometimes not considered part of the application architecture at all.

2. Lack of Formal Security Training for Developers and QA Professionals

Just like I can’t be expected to write solid code or uncover every software quality issue, developers and quality assurance (QA) professionals can’t be expected to know all things related to security. That said, there are many missed opportunities throughout the software and systems development life cycle for both developers and QA professionals to prevent or uncover common security flaws and keep them from ever reaching production status. Simply following a framework, such as the Open Web Application Security Project (OWASP) Top 10, can be a tremendous benefit. However, most developers and QA professionals I’ve spoken to have never heard of it.

3. Lack of Security Leadership

I see a lot of organizations — mostly smaller startups and midmarket businesses — talk about security, but there’s minimal substance behind it. Even in larger enterprises with dedicated security executive roles, bureaucracy and protectionism — IT executives protecting their own interests — often get in the way of security.

4. Improper Security Testing

Websites and applications are often included in generic vulnerability and penetration testing efforts and are not properly evaluated. Generic network vulnerability scans against web applications simply aren’t enough — security teams need dedicated vulnerability scanners. It is critical to conduct authenticated testing using different web vulnerability scanners, web proxies and related tools. Even source code analysis can prove beneficial in many situations.

5. Insufficient Security Controls

Staging, QA and development systems are often exposed to the internet but don’t have the same security controls that production web environments have. They’re not behind web application firewalls, they’re often unpatched, and they’re rarely afforded the protections of proactive system monitoring and alerting.

The real problem is that they often house production data that has not been de-identified, encrypted or otherwise protected. This data is exposed to anyone out on the internet or anyone with internal network access. When something nefarious happens in this context, odds are good that no one will ever know about it.

6. Unknown Websites and Applications

Many websites and applications are unknown and, therefore, unprotected. In many organizations, numerous web systems go without security scrutiny. Either they are deemed unimportant or they are unknown altogether. Some of these sites and apps are initially set up by people outside of development and IT, which causes them to fly under the radar of web security oversight.

7. The Wrong People Conduct Vulnerability Testing

In some organizations, the wrong people are testing for web security flaws. Internal security teams often do the testing with no external or independent evaluation. This might be sufficient in the context of security, but compliance regulations could mandate that independent third parties perform this work, at least periodically.

I often see external vendors performing their own “testing,” which usually just amounts to nothing but basic vulnerability scans. I also see a lot of people relying on audit reports to make web-related security decisions. Such audits are great for finding security gaps in and around the data center, but they effectively mean nothing in terms of specific web application vulnerabilities.

8. Overreliance on Documented Policies

Some executives rely solely on documented security policies to keep systems protected. In the grand scheme of things, security policies do very little to protect web environments from exploits. Sure, they set the expectations of those who bother to read them. However, other than appeasing auditors, policies add little value to a web security program.

9. Poor Incident Response Planning

Many security teams have no plans to address the risks that they uncover. A common web security gap occurs when vulnerabilities and risks are identified but the solutions never see the light of day. Seeing things through — especially the most urgent issues regarding your most important systems — is absolutely crucial. Just ask some of the people involved with the big security incidents we see and hear about every day. Prompt action pays great dividends.

Strengthening Weak Links in the Security Chain

Whether web security is an informal component of your overall IT program or you have dedicated SecDevOps procedures to oversee it all, you’ll find that most security challenges come with hair on top — in other words, people. To make a security program work for, rather than against, your organization, you must acknowledge and overcome these hurdles.

One or more of these challenges undoubtedly exists within your organization. Get the right people involved, identify the gaps and vow to make the appropriate adjustments by educating employees, spreading awareness and uniting disparate departments under one cohesive web security strategy.

Download the E-Guide: Five Steps to Achieve Risk-based Application Security Management

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…