An area of information security that has been gaining a lot more focus in recent years is the security of web applications. This area is of particular interest because of the growing complexity of websites which makes them a strong target for those with malicious intent. Websites are attractive to attackers because they manage bank accounts, handle credit cards, store intellectual property, and other data of high value.
Web developers typically do not have any formal training in the area of security and their priorities usually lie elsewhere. Business functionality and meeting tight deadlines are typically the focus areas of developers and security is often forgotten, or at most, an afterthought. This leaves the door wide open for attackers to discover vulnerabilities and exploit them to gain access to sensitive data.
One of the most recent certifications now being offered by the SANS institute focuses on this area. I had the privilege of taking this particular class and obtaining the certification. The class taught me how to perform a “penetration test” on a web application and exploit the vulnerabilities that are found.
There are plenty of products on the market today that are used by organizations to run automated scans on their web applications to find vulnerabilities. However, often times the most effective way to find vulnerabilities in a web application is to combine this automated testing with manual testing. Automated testing alone often yields many false positives that require manual investigation to discover.
Overall, I believe the best way to implement web application security within your organization is to incorporate security into the software development life cycle. It is much more difficult and requires much more time and money to fix security problems in your application after it has already been deployed to production. Security vulnerabilities like Cross-Site Scripting and SQL Injection are all two common in web apps and these vulnerabilities pose a bigger business risk than many organizations realize.