Research: Hardening Web Applications
Hardening Next-Gen Web Applications
Application security is a hot topic today. It was a hot topic last month, and we believe it will stay a hot topic well into the future. As we discussed in our October 2008 InformationWeek Analytics State of Software Protection report, there may be no such thing as a bulletproof app, but that doesn’t mean we’re not trying: Over half of the business technology professionals we surveyed for that report had application security strategies in place, and in our current Web 2.0 Survey of 382 respondents—all of whom have responsibility for the development, deployment or ongoing security of Web 2.0 applications—again, more than half say they have deployed protection for these applications.
“The issue with security is how to best employ common practices when adapting to a Web model that exchanges information between applications residing on different servers,” says one respondent to our 2010 survey. “This issue, in reality, has been around from the beginning of e-commerce. As the e-industry gets bigger, so do the lines of attack and problems that go with it. Not much different than the fraud attacks done by simple telephone calls!”
In our 2008 report we examined how developers and security organizations could work together to make their applications as bulletproof as possible. Now, we’ll examine some of the new pitfalls organizations need to avoid and explore changes in the security landscape. For example, IT should review and update methodologies each year or as the business changes, and consider bringing in someone with a fresh perspective. Don’t be inflexible; compromise deadlines for security when you must, but have a plan to get it done. And, be fair with requirements. The payoff will be better cooperation from the business. We’ll also detail an actual Web 2.0 application exploit and discuss how to find, defend against and remediate it.