2011-10-25

By staff reporter

ISACA has issued a white paper outlining the causes of web application vulnerabilities, examining the associated risk and impacts, with advice for mitigating risk.

New web applications are client-server based and platform independent, require less computing power, and can be seamlessly integrated with online resources and services. Their use can result in time and cost reduction of processes, increased customer satisfaction, and increased revenue.

However, web application vulnerabilities open the door to the exploitation of sensitive corporate information, disruption of service and theft of intellectual property.

Web Application Security: Business and Risk Considerations, applies to all types of software development activities. Among the common vulnerabilities identified in the white paper include:

•SQL injection
•Cross-site scripting
•Insecure direct object reference
•Information leakage
•Insufficient anti-automation

“Organisations are performing more and more high-value or highly confidential transactions through the internet thanks to the insight in the many new opportunities and benefits," said ISACA director, Marc Vael, "But in many cases we notice that executive management is not (made) fully aware of the real security risks.”

“On the contrary, managers tend to push hard to go ahead and launch the web solution(s), even when these are not properly tested. Thus a lot of assumptions and a false sense of trust reigns in many organisations on the security of their web applications, until it is too late,” he added.

Included in Web Application Security: Business and Risk Considerations are the following strategies for addressing web application risk:

•Security measures must be mandatory components that are included early in the process.
•Programmers must be trained in secure coding techniques.
•There must be a robust quality assurance process in place to enforce continuous, controlled quality testing.
•Deployed applications must be continuously monitored for newly discovered vulnerabilities.
•Decisive action must take place to address any vulnerabilities found.

The white paper is available as a free download from www.isaca.org/web-application-security.

Home     More News


Other stories you may find of interest:

BYOD risk growing through consumer shopping at work
UK consumers say they'll spend more time shopping online than in 2010. But according to the UK edition of ISACA's fourth Shopping on the Job report, two-thirds of this time will be on devices also used for work, posing significant risk to enterprises.

ISACA: Geolocation risks misunderstood
A new ISACA report cautions that regulating the use of geolocation data is still in its infancy, and that users should be aware of the information they are sharing.