Web applications have become the backbone of business in nearly every segment of the economy. They connect employees, customers and partners to the information they need anywhere and anytime. While this information accessibility has cut costs and dramatically accelerated the pace of business, it has also increased risks identity theft, data leakage, malware, application denial of service (DoS) attacks and malicious botnets increasingly target Web applications with consequences that impact brand, revenues and regulatory compliance.
Ninety two per cent of businesses have suffered from a successful application attack in the past 12 months (CSI/FBI Computer Crime and Security Survey) and 21 per cent of organisations have experienced a data breach due to an application attack (Aberdeen Group, Developing Secure Applications: Built-in or Bolted On?). In addition, Web applications change frequently and new vulnerabilities are often introduced in these updates. Plus, application updates may inadvertently break patches created to fix security holes, re-exposing old vulnerabilities.
Unfortunately, current data security expenditure is focused on enterprise networks, leaving weaknesses in the database and applications to be exploited by cyber criminals. In 2009, the top 10 data breaches (by volume) reveals that 74 per cent of lost data came from database breaches, 19 per cent from application breaches and seven per cent from network breaches. Yet, more than 90 per cent of 2009s US$16 billion security spending was on network security, according to Top 100 Research Foundation.
Add to this the current confusion among Asia-Pacific organizations as to the type of security tools needed to tackle the problem, with many relying on traditional network firewalls and intrusion prevention systems (IPS). In a recent Frost & Sullivan report, 55 per cent of those surveyed in the Asia Pacific felt that having a powerful network firewall is sufficient to make up for the lack of a Web Application Firewall (WAF). Some 48.3 per cent felt that a WAF is required only if a company wants to be PCI-DSS compliant.
However, if you look at regulations such as the Payment Card Industry Data Security Standard (PCI DSS), these now mandate application layer protection. Businesses that process, store or transfer credit card data must install a WAF or undergo application reviews annually and after every application change. Notice that no IPS requirement exists.
Assessing the approaches to Web application security
Complete Web application security requires detailed understanding of the elements of legitimate user transactions within each Web application these include URLS, HTTP methods, session IDs, cookies, XML/SOAP schema, and more. Also, new application security hazards produced by Web 2.0 technologies, especially Rich Interface Applications, AJAX frameworks, and online forums like Wikis, blogs and social networking sites, can elevate the risk of cross-site scripting (XSS) injections, cross-site request forgery (CSRF), unauthorised access, and other Web-based attacks. This level of security can only be provided with advanced WAF capabilities.
Sign up for Computerworld eNewsletters.