September 20, 2006, 6:19 PM — Listen to the column "Web Application Security Audits", or visit our Podcast Center to hear more by James Gaskin.
There are four Web vulnerability tool companies, and one, Acunetix (.com) now offers a free audit through a download on their Web site. Through this service, they have gathered plenty of information about the state of Web development security even though they've been a commercial product for less than a year.
Good news? Off the shelf applications do have holes, but they get patched by the vendor. Bad news? Custom applications don't get patched, and the typical mix of in-house and third party developer teams means programming best practices remains a slogan on a poster. About two thirds of the free audits run by the Acunetix utility report high vulnerability on the tested Web application.
If you're doing e-commerce and take customer credit cards, the newspaper headlines await your first misstep. No longer are hackers looking for defacement glory; they now look for revenue by ripping off you and your customers.
If management balks at paying for another security service, point out where you already have security: firewalls, desktops, mobile devices, routers, and authentication. Leaving your Web applications insecure makes no more sense than building a brick wall but using a gate made from chain link fencing. Isn't your Web site the public face of your company, receiving thousands of hits per day? Shouldn't that be as secure as possible?
If you're not a programmer, Cross Site Scripting and SQL Injection may not mean much to you. Ask your Webmaster, however, and you'll get a different response. Just make sure he or she isn't eating, or you may have to do the Heimlich maneuver.
Every dynamic object on your Web site must be checked for vulnerabilities. This not only includes shopping carts but forms and any other interactive application.
Don't forget your supply chain. Any extranet interfaces provided to suppliers or customers must be verified. If you don't really trust your own employees, how can you trust the employees in another company? Of course, if you're in security, you've learned not to trust anyone.
If you're a history fan, you can remember back to President Reagan talking about a treaty with the Soviet Union. He promised to trust but verify. Sounds like a good approach to your Web site security as well.
