Web application security audits
Listen to the column "Web Application Security Audits", or visit our Podcast Center to hear more by James Gaskin.
There are four Web vulnerability tool companies, and one, Acunetix (.com) now offers a free audit through a download on their Web site. Through this service, they have gathered plenty of information about the state of Web development security even though they've been a commercial product for less than a year.
Good news? Off the shelf applications do have holes, but they get patched by the vendor. Bad news? Custom applications don't get patched, and the typical mix of in-house and third party developer teams means programming best practices remains a slogan on a poster. About two thirds of the free audits run by the Acunetix utility report high vulnerability on the tested Web application.
If you're doing e-commerce and take customer credit cards, the newspaper headlines await your first misstep. No longer are hackers looking for defacement glory; they now look for revenue by ripping off you and your customers.
If management balks at paying for another security service, point out where you already have security: firewalls, desktops, mobile devices, routers, and authentication. Leaving your Web applications insecure makes no more sense than building a brick wall but using a gate made from chain link fencing. Isn't your Web site the public face of your company, receiving thousands of hits per day? Shouldn't that be as secure as possible?
If you're not a programmer, Cross Site Scripting and SQL Injection may not mean much to you. Ask your Webmaster, however, and you'll get a different response. Just make sure he or she isn't eating, or you may have to do the Heimlich maneuver.
Every dynamic object on your Web site must be checked for vulnerabilities. This not only includes shopping carts but forms and any other interactive application.
Don't forget your supply chain. Any extranet interfaces provided to suppliers or customers must be verified. If you don't really trust your own employees, how can you trust the employees in another company? Of course, if you're in security, you've learned not to trust anyone.
If you're a history fan, you can remember back to President Reagan talking about a treaty with the Soviet Union. He promised to trust but verify. Sounds like a good approach to your Web site security as well.
ITworld.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
